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Abstract. Separation logic is a Hoare-style logic for reasoning about programs with 
heap-allocated mutable data structures. As a step toward extending separation logic to 
high-level languages with ML-style general (higher-order) storage, we investigate the com- 
patibility of nested Hoare triples with several variations of higher-order frame rules. 

The interaction of nested triples and frame rules can be subtle, and the inclusion of 
certain frame rules is in fact unsound. A particular combination of rules can be shown 
consistent by means of a Kripke model where worlds live in a recursively defined ultrametric 
space. The resulting logic allows us to elegantly prove programs involving stored code. In 
particular, using recursively defined assertions, it leads to natural specifications and proofs 
of invariants required for dealing with recursion through the store. 



Many programming languages permit not only the storage of first-order data, but also forms 
of higher-order store. Examples are code pointers in C, and ML-like general references. It 
is therefore important to have modular reasoning principles for these language features. 
Separation logic is an effective formalism for modular reasoning about pointer programs, in 
low- level C-like programming languages and, more recently, also in higher- level languages 
[m [m [T71 [25] . However, its assertions are usually limited to talk about first-order data. 

In previous work, we have begun the study of separation logic for languages with higher- 
order store O [23]. A challenge in this research is the combination of proof rules from 
separation logic for modular reasoning, and proof rules for code stored on the heap. Ideally, 
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a program logic for higher-order store provides sufficiently expressive proof rules that, e.g., 
can deal with recursion through the store, and at the same time interact well with (higher- 
order) frame rules, which enable modular program verification. 

Our earlier work [5l|23] shows that separation logic is consistent with higher-order store. 
However, the formulation in this earlier work has a shortcoming: code is treated like any 
other data in that assertions can only mention concrete commands. In order to obtain 
modular, open and reusable reasoning principles, it is clearly desirable to abstract from 
particular code and instead (partially) specify its behaviour. For example, when verifying 
mutually recursive procedures on the heap, one would like to consider each procedure in 
isolation, relying on properties but not the implementations of the others. The recursion 
rule given by Birkedal et al. [5] and Reus and Schwinghammer [23] does not achieve this. 
A second, and less obvious consequence of lacking behavioural specifications for code in 
assertions is that one cannot take full advantage of the frame rules of separation logic. For 
instance, the programming language in [5] can simulate higher-order procedures by passing 
arguments through the heap, but the available (higher-order) frame rules are not useful 
here because an appropriate specification for this encoding is missing. 

In this article, we address these shortcomings by investigating a program logic in which 
stored code can be specified using Hoare triples, i.e., an assertion language with nested 
triples. This is an obvious idea, but the combination of nested triples and frame rules turns 
out to be tricky: the most natural combination is in fact unsound. 

The main technical contributions of this article are therefore: 

(1) the observation that certain "deep" frame rules can be unsound, 

(2) the suggestion of a "good" combination of nested Hoare triples and frame rules, and 

(3) the verification of those rules by means of an elegant Kripke model, based on a de- 
notational semantics of the programming language, where the worlds are themselves 
world-dependent sets of heaps. 

The worlds form a complete metric space and (the denotation of) the operation (8), needed 
to generically express higher-order frame rules, is contractive; as a consequence, our logic 
permits recursively defined assertions. 

Outline. After introducing the syntax of programming language and assertions in Section [2] 
we discuss some unsound combinations of rules in Section [3l This section also contains the 
suggested set of rules for our logic. The soundness of the logic is then shown in Section [H 
Section [5] discusses further proof rules for nested triples. Finally the conclusion addresses 
related work and the differences between the model presented here and a step-indexed 
model. 

2. Syntax of Programs and Assertions 
This section presents the syntax of the programming language and that of assertions. 

2.1. Programming language. We consider a simple imperative programming language 
extended with operations for stored code and heap manipulation. The syntax of the lan- 
guage is shown in Figured) The expressions in the language are integer expressions, vari- 
ables, and the quote expression 'C for representing an unevaluated command C. The in- 
teger or code value denoted by expression ei can be stored in a heap cell eo using [eo]:=ei, 
and this stored value can later be looked up and bound to the (immutable) variable y by 
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e G Exp : 


:= -1 1 ... 61 + 62 ... \ X 


integer expressions, variable 




\ 'C7' 


quote (command as expression) 


C G Com : 


:= [6i] 1=62 let y=[e] in C eval [e] 


assignment, lookup, unquote 




let x=new (ei, . . . , e„) in C free e 


allocation, disposal 




skip Ci ; C2 


no op, sequencing 




if (61=62) then Ci else C2 


conditional 


P,Qe Assn : 


:= /a/se | true \ Q \ P AQ \ P^Q 


intuitionistic-logic connectives 




Mx.P 3x.P 61=62 6i<e2 


quantifiers, atomic formulas 




1 61 1-^ 62 1 emp \ P * Q 


separating connectives 




1 {P} 6 {Q} 1 P (8) g 


Hoare triple, invariant extension 




1 X(6-) 1 {fiX{x).P){e) 1 ... 


relation variable, recursion 



Figure 1. Syntax of expressions, commands and assertions 



let y=[6o] in D. In case the value stored in cell cq is code 'C, we can run (or "evaluate") 
this code by executing eval [60]. Our language also provides constructs for allocating and 
disposing heap cells such as eo above. 

We point out that, as in ML, all variables x, y, z in our language are immutable, so 
that once they are bound to a value, their values do not change. This property of the 
language lets us avoid side conditions on variables when studying frame rules. Finally, we 
do not include while loops in our language; these could be added easily, and they can also 
be expressed by stored code (using Landin's knot)13 

Example 2.1 (Iterate procedure). An iterator that calls its parameter function as well as 
itself through the store can be programmed as follows. 

Cit,f,c = let n = [c] in 

if n =0 then skip else ( eval [/] ; [c] : = n-1 ; eval [it] ) 

Here we assume that cells it, f and c are some fixed global constants, and that the iterator 
code is stored in the cell it. Command Cuj^c then calls the code in / as many times as the 
value of counter cell e prescribes. 

2.2. Assertions and distribution axioms. Our assertion language is standard first-order 
intuitionistic logic, extended with separating connectives emp and *, the points-to predicate 
I— >■ [25], and recursively defined assertions {iiX{x).P){e). The syntax of assertions appears in 
Figure [TJ Each assertion describes a property of states, which consist of an immutable stack 
and a mutable heap. Formula emp means that the heap component of the state is empty, 
and P * Q means that the heap component can be split into two, one satisfying P and the 
other satisfying Q, both evaluated with respect to the same stack. The spatial implication 
operator ("magic wand") is omitted here for reasons explained later in Remark 14. 9[ The 
points-to predicate 60 1— ?• ei states that the heap component consists of only one cell 60 
whose content is 61 or, in case 61 is a command, an approximation e' of 61 which is defined 

"'^To obtain the original while rule of Hoare logic one needs to be able to hide the additional pointer storing 
the body of the while loop. This can be achieved using anti- frame rules as discussed e.g. in [28j . 



4 



J. SCHWINGHAMMER, L. BIRKEDAL, B. REUS, AND H. YANG 



PoR=\P0R)*R 

{P} e {Q}^R ^{PoR}e{QoR} 
{P<^R')0R^ P0{R' o R) 

(kx.P) ®R^ kx.{P !S)R) (k E {V, 3}, X i fv{R)) 

{P®Q)^R^ {P(g)R)®{Q(^R) (e G A, V, *}) 

P ® R P (P is one of true, false, emp, e = e' , e i— )• e') 



Figure 2 . Axioms for distributing — R 

(terminates) for less heaps than ei. This is in hne with the fact that we consider partial 
correctness only. 

One interesting aspect of our assertion language is that it includes Hoare triples {P} e {Q} 
and invariant extensions P^Q; previous work [7l[5] does not treat them as assertions but as 
so-called specifications, which form a different syntactic category. A consequence of having 
these new constructs as assertions is that they allow us to study proof rules for exploiting 
locality of stored code systematically, as we will describe shortly. 

Intuitively, {P} e {Q} means that e denotes code satisfying {P} _ {Q}, and P®Q denotes 
a modification of P where all the pre- and post-conditions of triples inside P are *-extended 
with Q. In other words, all code specified by pre- and postconditions inside P must preserve 
invariant Q. For instance, the assertion {3k. (1 1— k) A {emp} k {emp}) ® (2i-^0) is equivalent 
to (3A;. (1 1— 7- k) A{2i— 7-0} k {2i— >0}). This assertion says that cell 1 is the only cell in the heap 
and it stores code k that satisfies the triple {2i— >0} _ {2i— >0}. This intuition about the ® 
operator is made precise in the set of axioms in Figure O which let us distribute through 
the constructs of the assertion language. 

Note that since triples are assertions, they can appear in pre- and post-conditions of 
triples. This nested use of triples is useful in reasoning, because it allows one to specify 
stored code behaviourally, in terms of properties that it satisfies. Typically, a program logic 
consists of both an assertion logic and a specification logic (e.g. [24j)- With the introduction 
of nested triples, assertions and specifications necessarily become mutually recursive; for 
simplicity, we have chosen to identify our specification and assertion logics and just work 
with a single logic of assertions. 

A second interesting aspect of our assertion language is that assertions include (n- 
ary) relation variables X[e), and that assertions can be defined recursively: the assertion 
{^X{x).P){e) binds X and x = xi . . . x„ in P and satisfies the axiom 

(^X(x).P)(e) ^ P[X := fiX(x).P, x := e\ . (2.1) 

In the case where X has arity we will simply write X in place of X(). 

Example 2.2 (Specification of the iterator via recursion through the store). The previously 
given command 

Citj^c = let n = [c] in 

if n =0 then skip else ( eval [/] ; [c] : = n-1 ; eval [it] ) 

can be specified as follows, if we assume that the called procedure in / does preserve some 
invariant I that does not access the counter and iterator cells c and it, respectively. For 
instance, I could be emp (in case / has no side effects) or 3m. x i— > m * y i— > n!/m! when 
the factorial of n is computed in y. If x contains the content of the counter then, like with 
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a while loop, upon termination y contains the expected result. In the following, to keep the 
triples simple, we assume that / = emp. 

{c^.* f ^{emp] _{emp} * Ru} 'Cuj^c {cH-0 * / ^{emp} _{emp} * Ru} ■ 

Here, we use the abbreviation e i-)- {P} _ {Q} for (3/c. (e i-7> /c) A{P}k{Q}), and Ru is a 
recursive specification for the iterator itself: 

Rit = /iX. it ^ {ci— >_ * / 1— >{emp} _{emp} * X} _ {ci— s-O * / ^{emp} _{emp} * X} . 

Consequently, heap it^^Cuj^c is in Rit ^-nd thus one can prove (see Example I3.3|) that 

{ c * / 1— )•{ emp} _ { emp} * it i— } 

[it\: = '-C itj^c \ eval [it] 

{ CI— )-0 * / 1— )-{emp} _ {emp} * i?jj} . 

The specification for the iterator in it is recursive since the iterator calls itself through the 
store and any recursive call through the store requires the same specification as the original 
call. Assuming that procedure / has no side effect, we guarantee that the iterator will have 
no other side effect than setting the counter to 0. The iterator specification also works with 
more sophisticated behaviour of /: in Example 13.21 below we will discuss how to deal with 
situations where / has side effects on some heap space (but preserves an invariant /). It 
will turn out that we can generalise from invariant emp to / without even having to reprove 
the original side-effect free specification given here, using the so-called deep frame rule. 

Analogously to the definition of equi-recursive types in typed lambda calculi, for the 
assertion {fj,X{x).P){e) to be well-formed we require that P is (formally) contractive in 
X [18j. This means that X can occur in P only in subterms of the form {P'} e {Q'} or 
P" ® R' where P" is formally contractive in X. (We omit the straightforward inductive 
definition of formal contractiveness.) Semantically, this requirement ensures that fiX{x).P 
is well-defined as a unique fixed point. Note that in particular all assertions of the form 
P X and {P' * X} e {Q' * X} are formally contractive in X, provided X does not appear 
in P. Thus, fiX.P X, and ^X.it^{P * X} e {Q * X} are well-formed (in particular, Ru 
above). Let R abbreviate the latter assertion. Then, with the help of Axiom [2T] and the 
distribution axioms of Figure [2] one can show that R is equivalent to it^{P * R} e {Q * R] 
which in turn is equivalent to it^{P * it^{P * R} e{Q * R}} e {Q * it^{P * R} e {Q * R}} 
and one can keep unfolding R as many times as one wishes. A successful invocation of the 
code in it thus requires a heap satisfying P as well as containing it again pointing to code 
that satisfies the very same specification. It is this potentially infinite unfolding that frees 
one from having to prove triples by various forms of induction on the number of recursive 
calls as in [12l [5] . 

More generally, in order to deal with mutually recursive stored procedures we may 
need to compute fixpoints of mutually recursively defined assertions. For brevity we omit 
formal syntax for mutual recursion. We will say more about the use of recursively defined 
predicates and their existence in Sections [3] and [H In particular, the semantics in Section [J] 
can be used to interpret mutually recursive families of assertions. 

Finally, note that we have not included an axiom for distributing (8> through a recursive 
type in Figure [2l In particular, the axiom (fiX.P) R ^ ^X.{P R) does not hold in 
the presence of nested triples. Instead, one has to use the axiom ^X.P <^ P[X := fiX.P] 
and unfold the recursive type to exhibit a "proper" connective through which ®R can be 
distributed. 
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We shall make use of two abbreviations. The first is Q o which stands for (Q ^ 
R) * R and which has already been used in Figure [2l This abbreviation describes the 
combination of two invariants Q and R into a single invariant in the axiom (P (8) Q) (8) i? <^=4> 
P ® {Q o R). It is also used to add an invariant Rio a Hoare triple {P} e {Q}, so as to obtain 
{P o R} e {Q o R}. We use the asymmetric o instead of the symmetric * here to extend not 
only Q (P and Q resp.) by R but also ensure, via (8), that all Hoare triples nested inside 
Q (P and Q, resp.) preserve R as an invariant. The o operator has been introduced 
in |20) . where it is credited to Paul- Andre Mellies and Nicolas Tabareau. The second 

def 

abbreviation is for the points-to operator of separation logic: eii-4-P[e2] = ei i->- 62 A P[e2] 

def 

and ei i->-P[-] = 3x.ei P[x]. Here x is a fresh (logic) variable and P[-] is an assertion 
with an expression hole, such as {Q} ■ {R}, • = e or • < e0 

3. Proof Rules for Higher-order Store 

In our formal setting, reasoning about programs is done by deriving judgements of the form 
S; r h P, where P is an assertion expressing properties of programs, H is a list of (distinct) 
relation variables Xi, . . . , X„ containing all the free relation variables in P, and P is a list of 
(distinct) variables xi, . . . ,Xn containing all the free variables in P. For instance, to prove 
that command C stores at cell 1 the code that initializes cell 10 to 0, we need to derive 
H;r h {1 1-> _} 'C {1 1-^ {10 1-7> _} _{10 1— )• 0}}. (One concrete example of such a command 
C is [1]:='[10]:=0'.) Below, we will sometimes omit the contexts H and F when they are 
empty. 

In this section, we describe inference rules and axioms for assertions that let one effi- 
ciently reason about programs. We focus on those related to higher-order store. 

3.1. Standard proof rules. The proof rules include the standard proof rules for intuition- 
isticH logic and the logic of bunched implications (not repeated here). Moreover, the 
proof rules include variations of standard separation logic proof rules, see Figures [3] and 
m The (Update), (Free) and (Skip) rules in the figure are not the usual small axioms 
in separation logic, since they contain an assertion P that describes the unchanged part. 
Since we have the standard frame rule for *, we could have used small axioms instead here. 
We chose not to do this, because the current non-small axioms make it easier to follow 
our discussions on frame rules and higher-order store in the next subsection. We added a 
specific version of (Update), called (UpdateInv), which will turn out not to be derivable 
from (Update) because triples cannot be used in the (Invariance) rule. (This will be 
explained in Section [5]). The side condition of (Invariance) "-0 is pure" ensures that ■0 is 
an assertion denoting a predicate that is actually independent of the heap. Examples for 
pure predicates are arithmetic formulae like x = 1. 

The figure neither includes the rule for executing stored code with eval [e] nor the 
frame rule for adding invariants to triples. The reason for this omission is that these two 

^These abbreviations do not necessarily lead to a unique reading, e.g. a;H^•l < 2 could mean A 1 < 2 
or A 1 < 2, but we will only use them when the P in question is uniquely defined. 
"^A classical interpretation of the assertion language is inconsistent, see Section [3.51 
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Deref 

E;T,x^{P*e^x}^C^{Q} 
E;Th{3x.P*e^x}'letx=[e] InC {Qy ^ ^^^'^^^ 

Update 

S; r h {e _ * P} '[e] := cq' {e cq * P} 

UpdateInv 

S; r h {e ^ _* (eif-^eo A {A} cq {B})} '[e] := cq' {(e ^ cq A {A} eo {B}) * (ei^eo A {.4} eq {B})} 

New Fj^ee 
H;r,xh{P*x^e}'C'{g} 



-(x^fv(P,e,Q)) 



; rh{P} 'let x=newe in C"{Q}' v > H; T h {e _ * P} 'f ree(e)' {P} 

If 

S; r h {P A eo=ei} 'C {Q} H; T h {P A ep/ei} 'D' {Q} 
S; r h {P} 'if (eo=ei) then C else D' {Q} 

Seq 

H;rh{P}'C7'{P} rh{P}'D'{Q} 



Skip ^'^'^ 



S;rh{P}'skip'{P} H;rh{P}'C;i?'{Q} 



Figure 3. Proof rules from separation logic 

rules raise nontrivial issues in the presence of higher-order store and nested triples, as we 
shall discuss below. We also omit the conjunction axiom for triples: 

CONJ 



S;r h {P2}e{Q2}A{Pi}e{Qi}^{PiAP2}e{QiAQ2} 

as it is not sound (neither as a rule) in the presence of higher-order or deep frame rules, 
for the reasons given in [16]. If we wanted to use it we would need to restrict to precise 
assertions, as they do. 



3.2. Proof rule for recursive assertions. Besides the axiom (j2.ip which lets us unfold 
recursive assertions, we include a proof rule that expresses the uniqueness of recursive 
assertions, 

RUnique 

E;T h R ^ P[X := R] E;T h S ^ P[X := S] 
E;r h R^S 

for any P formally contractive in X. Using this rule, the equivalence of (possibly recursively 
defined) assertions R and S can be proved by finding a suitable assertion P that has both 
R and S as fixed points. 
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H;r h {P}e{Q}^{P'}e{Q'} E;T h {P} e {Q} A {P'} e {Q'} ^ {P y P'} e{Q V Q'} 
ExistAux 

{x fv(e)) 



H;r h (Vx.{P}e{Q}) ^ {3x.P}e{3x.Q} 
Invariance 



(^/^ is pure) 



Figure 4. Non-syntax driven proof rules 

3.3. Frame rule for higher-order store. The frame rule is the most important rule in 
separation logic, and it formalizes the intuition of local reasoning, where proofs focus on 
the footprints of the programs we verify. For instance, in Example 12. 2^ we have said we can 
prove 

{ci-^_ * f ^{emp} _{emp} * Ru} 'Cuj^c {ci-^0 * f ^{emp} _{emp} * Ru} (3.1) 
But if we wanted now to prove a similar result for an / that had some side effect like 
/ I—)- 'let r=[x\ in let v=[y\ in [y] ■. = r*v; [x] : = r— 1' 

then setting / = 3m. x^m * y^n\/m\ we can prove {/} / {/} but now we need to show 

{c ^_ * / ^{/} _ {/} * (i?,, ^ /) * /} 'C7,t,/,e' {c ^0 * / ^{/} _ {/} * {R^t ®I)*I} (3.2) 

The so-called "deep frame rule" will allow us to do just that, to prove triple (j3.2p from 
triple (j3.ip in one reasoning step, such that we can re-use our original proof. This rule will 
be discussed below and details of its concrete usage can be seen in Example 13.21 Note also 
that the first-order (or shallow) frame rule does not achieve this, it would only give us 

{ci-^_ * / ^{emp} _{emp} * Ru * /} 'Cuj^c {ci-^0 * / ^{emp} _{emp} * Ru * 1} (3.3) 

which is not useful here. 

Establishing "deep" frame rules in our setting is challenging, because nested triples 
allow for several choices regarding the shape of the rule. Moreover, the recursive nature of 
the higher-order store complicates matters and it is difficult to see which choices actually 
make sense (i.e., do not lead to inconsistency). 

To see this problem more clearly, consider the rules below: 

E;r h{P}e{Q} n G j* o| 

E;rh {P a R}e{Q D R} """^ E-T h {P} e {Q} ^ {P D R} e {Q D R} ^*'°^' 

Note that we have four choices, depending on whether we use □ = * or □ = o and on 
whether we have an inference rule or an axiom. If we choose the separating conjunction * 
for □, we obtain shallow frame rules that add R to the outermost triple {P}e{Q} only; 
they do not add R in nested triples appearing in pre-condition P and post-condition Q. On 
the other hand, if we choose o for □, since {A o R) = (A R* R), we obtain deep frame 
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rules that add the invariant R not just to the outermost triple but also to all the nested 
triples in P and Q. 

The distinction between inference rule and axiom has some bearing on where the frame 
rule can be applied. With the axiom version, we can apply the frame rule not just to valid 
triples, but also to nested triples appearing in pre- or post-conditions which is not possible 
with the inference rule 

Ideally, we would like to have the axiom versions of the frame rules for both the * and o 
connectives. Unfortunately, this is not possible for o: adding the axiom version for o makes 
our logic unsound. The source of the problem is that with the axiom version for o, one can 
add invariants selectively to some, but not necessarily all, nested triples. This flexibility 
can be abused to derive incorrect conclusions. 

Concretely, with the axiom version for o (DeepFrameAxiom) we can make the fol- 
lowing derivation: 

DeepFrameAx. 



E;Th{PoS}e{QoS} ^ E;T h {P} e{Q} ^ {P o R} e{Q o R} 

E;Th{P}e{Q}0S ®" E-T ^ {P} e{Q}0 S ^ {P o R} e{Q o R}0 S ^''^ 

MODUSPON. 

E;Th{PoR}e{QoR}^S 

'"-Dist'' 



S; r h {{P oR)oS}e {{Q o R) o S} 



Here we use the monotonicity of — ^ R in the form of rule ((8)-MONO), cf. Figure [9] in 
the Appendix. The steps annotated (8)-DiST^ use the first equivalence {P} e {Q} ^ R <^ 
{P o R} e {Q o i?} of the distribution axioms for ® in Fig. [2] (in <^= and direction, respec- 
tively). We annotate the application of an axiom between triples with ^ to indicate that 
we apply it actually as a rule via the application of (ModusPonens). So, for instance, 
(Conseq)'', used frequently below, denotes a sub-derivation of the following form: 

A' ^ A B' 

Conseq 



{A}e{B} {A}e{B}^{J^}e{B'} 

^^Y^} MODUSPONENS 

where we will usually omit the implications A' =^ A and B ^ B' when they are obvious 
from the context. 

The fact we could derive {{P o R) o S} e {{Q o R) o S} means that when adding R to 
nested triples, we can skip the triples in the S part of the pre- and post-conditions of 
{P o S} e {Q o S}. This flexibility leads to the unsoundness: 

Proposition 3.1. Adding the axiom version ('DeepFrameAxiomJ of the frame rule for o 
renders our logic unsound. 

Proof. Let R be the recursive assertion //X.(3 >-)• {li— )•_} _ X, and note that this 

means R ^ {3i-^ - ® ^ holds. Then, we can derive the triple: 

k h {2^ _{1 ^ _} o R} k {2 ^ _o R} 



k h {(2h^{lh^_}_{lh^_} o lh^_) oR}k{(2^_ol^_)oR} 

C^ONSFO^ - - - - 

k h {2h^'f ree(-l)' * *R}k {2^_* * R] * R}} (3.4) 



Here the first step uses the derivation above for adding invariants selectively, and the last 
step uses the consequence rule with the following two implications: 
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<^=^ 2i-^>{/afee}_{/a/,se} * R 
^ 2h^'free(-l)' * R 

where the second equivalence follows from the fact that <^ false (use axioms 

Overlap), (*-Zero), and (*-Mono) of Separation Logic from Figure [9]) with (CONSEqjl, 
and 

2 o o i? <j=^ 2h^_*lt-^_* R 

2h^_*lh^_*((3h^{lh^_}_{lh^_})(g)ii) 
2h^_*lh^_*3h^{lh^_*i?}_{lh^_*i?}. 

in which the distribution axioms of Figure [2] are used, again in concert with (Conseq) and 
Separation Logic rules like (*-MoNo). 

Consider C = let x=[2] in [3] :=x, i.e., the program that copies the contents from cell 
2 to ceh 3. When P[y] = {1^-} y {1^-} R such that R ^ 3^P[-] holds, 

UpdaxeInv 

xK3h^_* (2h^x AP[x])}'[3]:=x'{(3h^x AP[x]) * (2^x A P[x])} 

Conseq'' 

xh{3h^_* (2h^x AP[x])}'[3]:=x'{3h^P[_] *2h^P[_]} 

IDeref 

h {3x. 3h^_ * (2h^x A P[x])} 'let x=[2] in [3] : =x' {3^P[-] * 2^P[_]} 

h {3^P[_] * 2^P[.]} {3^P[_] * 2^P[.]} ~ 

h{R*2^P[_]}'C'{R*2^PL]} 

h {2 o i?} 'C {2 _ o i?} 

Now we instantiate k in (13. 4p with 'C, discharge the premise of the resulting derivation 
with the above derivation for C, and obtain 



h {2 'f ree(-l)' * 1^ _* R}'C' {2^ _*3^ {l^. * R} _ * R}} 

But the post-condition of the conclusion here is equivalent to 2i— >_ * * Rhy the definition 
of R and the distribution axioms for 0. Thus, as our rule for eval will show later, we should 
be able to conclude that 

h{2 'f ree(-l)' * R} 'C; eval [3]' {2 1^_*3 ^ {1^.* R} .{1^.* R}} 

However, since —1 is not even an address, the program (C; eval [3]) which executes the 
code f ree(-l) now stored in cell 3 always faults, contradicting the requirement of separation 
logic that proved programs run without faulting. □ 

^Note that it is important here that (Conseq) derives an implication between triples. 
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Remark 3.1 (Counterexample for the Deep Frame Axiom). Notice that in the derivation 
above it is essential that is a recursively defined assertion, otherwise we would not obtain 
that the locations 2 and 3 point to code satisfying the same assertion P. 

While the above counterexample has been the first such counterexample historically, 
there is also another form of counterexample discovered later which uses the same ideas as 
the above but works "through the store." More precisely, in this alternative counterexample 
the copying code 'C resides on the heap where the frame axiom can be applied directly on 
a nested triple, and not through the derivation 

{PoS}e{QoS} 

{{PoR)oS}e{{QoR)oS} 

This rather follows the style of gljl and [TUj^ . For this counterexample, let R be as above 
and let 

={l^_}y{l^_}. 

First, observe that the following triple can be derived with a rule for eval (this rule (Eval) 
will be explained in detail in Section [33]) : 

{2 iH- {false} _ {false} *ct-^{2\-^ {false} _ {false}} .{2\-^ {false} _ {false}}} 

'eval[c]' (3.5) 

{2 * c _} 

But the (DeepFrameAxiom) (the axiom version for o) can be used to derive 

c ^ {2 [_] } _ {2 ^Pi [_] } ^ c ^ {2 ^Pi [_] o (1 ^_)} _ {2 ^Pi [_] o (1 ^_)} 

which then by applying distribution axioms unfolding the definition of Pi yields: 

c^{2 h^Pi [-] } - {2 h^Pi [_]} ^ c^{2^ {false } _ {false} }-{2^ {false} _ {false } } 

Applying this to triple (j3.5p with the help of an appropriate (CONSEQ^) step we can therefore 
derive 

h {2 {false} _ {false} *c^{2 ^Pi [_] } _ {2 h^Pi [_] }} 'eval [c] ' {2 * c _} 

and thus by the shallow frame rule again 

h {1 * 2 {/a/se} _ {/a/se}*ch^ {2 h^Pi[_]}_ {2 h^Pi[_]}} 'eval [a]' {l^.*2^_*c^ .} 

This triple should not hold for all heaps since actually now the code in 2 has been laundered 
to work with its caller code in c although the code in c, to function properly, might depend 
on the code in 2 meeting the specification Pi. Using the above derivation, we can now 
construct a program that is provably safe but crashes, showing that (DeepFrameAxiom) 
cannot be correct (as the other used rules and axioms clearly are). First, with the rule 
version for o (DeepFrameRule) to add R one gets 

{ 1 * 2 {false} _ {false} *c^{2 ^Pi [_] o R} _{2 t^Pi [_]oR}*R} 
'eval [c]' 

{ 1 * 2 * c !-)■_ * R} 



However, the antiframe rule is used there. 
^This uses a version where the copied code accesses a cell that is then disposed of before the code itself 
is executed later. 
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SO that by definition of o, P^, and R we obtain 

{l^_*2^{false}_{false}*c^{2^P[_]*R}_{2^P[_]*R}*R} 
'eval [c]' 

{ 1 * 2 * c i-7-_ * R} 

where P[y] is the assertion y (8) (also used in the proof of Proposition 13. ip . 

From that one can easily derive with the rules (Seq), (Eval) and (Conseq) that 

{1 * 2 {false} _ {Me} *c^{2 ^P[-] *R}-{2 ^P[-] * R} * R} 

'eval [c];eval [3]' 

{1 !-)•_* 2 i-;>_*ci-7'_*i?} . 

Yet, if c 1-^ 'let x=[2] in [3]:=x' and 2 i-^ 'free(-l)', then the above program crashes. 
Although the code in c does not call the crashing code 'free(-l)' in 2, it copies 'free(-l)' 
into 3, which is possible due to the "laundered" specification of 2 in the triple for c. 

Again, this shows how essential it is that Pi [_] (8) i? is equivalent to R which forces R 
to be recursively defined to actually allow the copying to be performed. This version of 
the counterexample uses the (DeepFrameRule) rather than (ModusPonens) and (0- 
MONO), and its pattern is more likely to appear in "naturally occurring" examples. 

As Proposition 13.11 shows . we cannot include (DeepFrameAxiom) in the proof system. 
Fortunately, the second best choice of frame axioms leads to a consistent proof system: 

Proposition 3.2. Both the inference rule version of the frame rule for o and the axiom 
version for * are sound. In fact, the following more general version ( (X)-Frame ) of the rule 
for o holds: 

H;r h P®R 

We will prove this proposition in Section S] by a model construction. 

Example 3.2 (Application of ((8)-Frame)). Recall our specification 

{ci-^_ * f ^{emp} _{emp} * Ru] 'Cuj^c {ci->0 * f >-^{emp} _{emp} * Ru} (3.6) 

of the iteration command in Example 12.21 where Ru is a recursive specification for the 
iterator itself: 

Rit = fiX. iii->{ci->_* / emp} _ { emp} * X} _{c^0 * f emp} _ { emp} * X} 

Assume this triple has been already proven (cf. Example 13.31 below). If the code Caj^c is 
to be used on a procedure / that needs some state I, e.g. / = ai-^_, then we need to show 

{c ^_ * / ^{1} _ {/} * {Rit ® I) * iyCuj,c'{c ^0 * / ^{/} _ {/} * {Ru ®I)*I} 

This triple could be established by a proof similar to the one for the triple 13.61 above, just 
carrying around the extra assumption I. If we want to reuse this proof though, or even 
more importantly, if we do not have the proof of the above triple because it is part of a 
module for which we do not have the actual code, then we can use rule ((8i-Frame) on 
triple (j3.6p to derive: 

{{c^.* f ^{ emp} _ { emp} * Rit}'Citj^x {c^Q * f ^{ emp} _ { emp} * Ru fX) / 
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A Conseq'' step using the equivalence of the first axiom in Figure [2] in both directions for 
the pre- and postcondition, respectively, thus gives us the triple: 

{(ci->_(8)/) * {f i-^{emp} _{emp} (g) I) * {Ru (g) /) * /} 

{(ci->0(8)/) * {f ^{emp] _{emp} (g I) * {Ru (g) /) * /} 

which by another four applications of distribution axioms yields the required triple. Note 
that the rule (RUnique) would be needed to show that Ru®! is equivalent to the recursive 
assertion 

^lY. it^{c^.* f ^{1} _{/}*/* y} _ {c h^o * / ^{1} _{/}*/* y} . 

3.4. Rule for executing stored code. An important and challenging part of the design of 
a program logic for higher-order store is the design of a proof rule for eval [e] , the command 
that executes code stored at e. Indeed, the rule should overcome two challenges directly 
related to the recursive nature of higher-order store: (1) implicit recursion through the store 
(i.e., Landin's knot), and (2) extensional specifications of stored code. 

These two challenges are addressed, using the expressiveness of our assertion language, 
by the following rule for eval [e] : 

Eval 

H; r. A: h R[k] ^ {P * e ^ R[.]} k {Q} 
H; r h {P * e ^ R[.]} 'eval [e]' {Q} 

This rule states that in order to prove {P * e i-^ 'eval [e]' {Q} for executing stored code 
in [e] under the assumption that e points to arbitrary code k (expressed by the _ which is 
an abbreviation for 3k. e i-^ R[k]), it suffices to show that the specification R[k] implies that 
k itself fulfils triple {P * e ^ P[_]} k {Q}. 

In the above rule we do not make any assumptions about what code e actually points 
to, as long as it fulfils the specification R. It may even be updated between recursive 
calls. However, for recursion through the store, R must be recursively defined as it needs 
to maintain itself as an invariant of the code in e. 

Example 3.3 (Recursion through the store with the iterator). As seen in the iterator Ex- 
ample 12.21 one would like to prove 

{ CI— * / i-^{emp} - {emp} * R^ } 'eval [ii]' { * / i-^{emp} _ {emp} * Ru } 

with the help of (Eval). First we set 

R = {ci->_ * / i->{emp} - {emp} * Ru] _ {ci— )-0 * / ^{emp} _{emp} * Ru} 

such that Rit is the same as iti— )-P[_]. We are now in a position to apply (Eval) obtaining 
the following proof obligation 

R[k] {ci->_ * / \-^{emp} _{emp} * it\-^ R[_]} k {ci-^0 * / \-^{emp} _{emp} * Ru} 

which can be seen to be identical to R[k] => R[k] which holds trivially. 

The (Eval) rule crucially relies on the expressiveness of our assertion language, espe- 
cially the presence of nested triples and recursive assertions. In our previous work, we did 
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EvalNonRecI 

H; r h {P * e ^ Vy. {P} _ {Q}} 'eval [e] ' {Q * e ^ Vy. {P} _ {Q}} 
EvalNonRecUpd 

H; r h {P * e ^ Vy. {P * e ^ _} _ {Q}} 'eval [e]' {Q} 

EvalRec 



Figure 5. Derived rules from Eval 

not consider nested triples. As a result, we had to reason explicitly with stored code, rather 
than properties of the code, as illustrated by one of our previous rules for eval [5]: 

OldEval 

S; r h {P} 'eval [e]' {Q} => {P} 'C" {Q} 

H; r h {P * e ^ 'C'} 'eval [e]' {Q * e ^ 'C'} 

Here the actual code C is specified explicitly in the pre- and post-conditions of the triple. In 
both rules the intuition is that the premise states that the body of the recursive procedure 
fulfils the triple, under the assumption that the recursive call already does so. In the (Eval) 
rule this is done without direct reference to the code itself, using the variable k to stand for 
arbitrary code satisfying R. The soundness proof of (OldEval) proceeded along the lines 
of Pitts' method for establishing relational properties of domains [19] . On the other hand, 
as we will show in Section HJ (Eval) relies on the availability of recursive assertions, the 
existence of which is guaranteed by Banach's fixpoint theorem. 

From the (Eval) rule one can easily derive the axioms of Figure [H The first two axioms 
are for non-recursive calls. This can be seen from the fact that in the pre-condition of the 
nested triples e does not appear at all or does not have a specification, respectively. Only 
the third axiom (EvalRec) allows for recursive calls. The idea of this axiom is that one 
assumes that the code in [e] fulfils the required triple provided the code that e points to 
at call-time fulfils the triple as well. Let us look at the actual derivation of (EvalRec) to 
make this evident. We write 

S[k] = yy.{PoR}k{QoR} 

such that for the original 

R = /iX(e ^ Vy. {P} _ {Q} * Po) ^ X 
of the rule (EvalRec) we obtain with the help of Axiom (|2.ip : 

P^(e^5[_])*(Po0P) (3.7) 
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Note that in the derivation below T contains the variables y which may appear freely in P 
and Q. 

FOL 

E;T,k\- {yy.{PoR}k{QoR}) ^ {P o R} k {Q o R} 

Def. of S 



H; r, A; h S[k] ^ {P o R} k {Q o R} 

CSUB 

H; r, A; h S[k] ^ {(P O i?) * e ^ S[.] * (Pq «> R)} k {Q o R} 

H; r h {(P O P) * e ^ S[.] * (Pq R)} 'eval [e]' {Q o R} 

--— Conseq'" 

H; r h {P o P} 'eval [e]' {Q o P} 

In the derivation tree above, the axiom used at the top is simply a first-order axiom for V 
elimination. The quantified variables y are substituted by the variables with the same name 
from the context. After an application of rule (EvalRec), those variables y can then be 
substituted further. Step CsuB abbreviates the following derivation where contexts have 
been omitted for clarity: 



S[k] ^{PoR}k{QoR} 



PoR^ PoR 

Def. o 



(P(g)P)*P^PoP 

UNFOLD — 



{P(^R)*e^ S[J\*{Po^R)^ PoR QoR^QoR 

Conseq 

{P o P} A; {Q o P} ^ {(P ^ P) * e ^ S[_] * (Pq (g) R)} k{QoR} 

S[k] ^ {(P P) * e ^ S[.] * (Po ® P)} A; {Q o P} 

In the above derivation, (R=>) and (T=>) denote reflexivity and transitivity of implication, 
respectively, and step unfold denotes the following sub-derivation: 

R^ -:r-, — 7- (EJl) 



P(g)R^ P^R S L] * Po (g) P^ P 

— ★-Mono 

(P (g) P) * e S[.] * (Po P) ^ (P O P) * P {P(g)R)*R^PoQ 

(P (g) P) * e S[.] * (Po O P) ^ P o P 

The use of recursive specification 

P = fiX.{e ^ Vy. {P} _ {Q} * Pq) ^ X 

is essential here as it allows us to unroll the definition (see equivalence (|3.7p ) so that the 
(Eval) rule can be applied. Note that in the logic of [.12], which also uses nested triples but 
features neither a specification logic nor any frame rules or axioms, recursive specifications 
do not exist. Avoiding them, one loses an elegant specification mechanism to allow for code 
updates during recursion. Such updates are indeed possible as eval uses a pointer to call 
code from the (obviously changeable) heap. In the logic of [12] specifications would have to 
refer to other means to deal with such code updates, like e.g. families of code with uniform 
specifications. But it is unclear to what extent such a formulation would allow for modular 
extensions. For modular reasoning one must not rely on concrete families of code in proofs, 
otherwise these proofs are not reusable when the family has to be changed to allow for 
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(g)-FRAME *-FrAME EvAL 

E;ThP E;T,kh R[k]^{P*e^R[.]}k{Q} 

S;r h P(^R H; r h {P} e {Q} ^{P*R}e{Q*R} H; T h {P * e ^ R[.]} 'eval [e]' {Q} 



Figure 6. Proof rules specific to higher-order store 

additional code. Assuming the code in e does not change, the recursively defined R above 
can be expressed without recursion (we can omit the Pq now, as this is only needed for 
mutually recursively defined triples) as follows: 

ei-^{ei-^k*P}k{ei-^k* Q}. 

The question however remains how the assertion can be proved for some concrete 'C that 
is stored in [e]. In ^12j this is done by an induction on some appropriate argument, which is 
possible since only total correctness is considered there. In our logic, (OldEval) is strik- 
ingly similar to a fixpoint induction rule in "de Bakker and Scott" style and (Eval) even 
allows one to abstract away from concrete code. These rules are elegant and simple to use. 
Not only do they allow for recursion through the store, (Eval) also disentangles the rea- 
soning from the concrete code stored in the heap, supporting modularity and extensibility. 

Figure [6] summarizes a particular choice of proof-rule set from the current and previous 
subsections. Soundness is proved in Section [H 

3.5. Nested triples and classical assertion logic. One may wonder why we insist on 
an intuitionistic program logic. Unfortunately, as the following proposition shows, it is not 
possible to use a classical version of our logic; more precisely, the combination of a classical 
specification logic and rule ((8>-Frame) is not sound. Thus, by our identification of assertion 
and specification language, we cannot have a classical assertion logic either. 

Proposition 3.3. Adding rule (^(8)-FRAMEj to a classical specification logic is not sound. 

Proof. Assuming the rule for the elimination of double negation, we can derive the prob- 
lematic triple 

{true} 'skip' {false} . 

Assume -ijirue} 'skip' {/ake}, using the abbreviation -k/? for ip =^ false. With rule ((Si- 
Frame) to frame in false we can derive the triple {^{true} 'skip' {false}) ® false from 
^{true} 'skip' {false}. Since true* false <^ false and false* false false, rule (Conseq) and 
the distribution axioms then let us derive ^{false} 'skip' {false}. On the other hand, rule 
(Skip) derives the triple {false} 'skip' {false}. Thus, we have shown that from the assump- 
tion ^{true} 'skip' {false} we can derive false, i.e. we have shown ^^{true} 'skip' {false}. 
By eliminating the double negation we can now derive the triple {true} 'skip' {false}. □ 

Note that this derivation does not use nested triples, and also applies to the specification 
logics used in [3 [5] . 
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4. Semantics of Nested Triples 

This section develops a model for the programming language and logic we have presented. 
The semantics of programs, given in Subsection 14.21 using an untyped domain-theoretic 
model, is standard. The following semantics of the logic is, however, unusual; it is a possible 
world semantics where the worlds live in a recursively defined metric space. Before we begin 
with the technical devlopment proper we give a brief overview of the main ideas employed. 

4.1. Overview of the technical development. In earlier work, Birkedal, Torp-Smith, 
and Yang [7, 8j showed how to model a specification logic with higher-order frame rules 
but for a language with first-order store. There, the assertion and specification logic were 
kept distinct. Assertions were modelled as semantic predicates Pred = P{H), with H the 
set of heaps, and specifications as world-indexed truth values W ^ 2. (These latter maps 
were restricted to be monotone in a certain sense, but that does not matter for the present 
explanation.) The informal idea was that the set of worlds would consist of invariants that 
had been framed in and thus worlds consisted of semantic predicates, W = Pred. Here, with 
higher-order store and nested triples and the collapse of assertion and specification logic, 
assertions will be modelled as world-indexed predicates. So we get Pred = — )• P{H). 
Worlds will still consist of semantic predicates, so W = Pred. Thus we see that the set of 
worlds W should be recursively defined. This captures the idea that any assertion can serve 
as an invariant to be framed in via a frame rule. 

The idea of using such a Kripke model over a recursively defined set of worlds comes 
from [6j, where this idea was used to define a model of a type system with general ML- 
like references (hence higher-order store). Following [6] we show how to find a solution to 
the recursive world equation in a category of complete bounded ultra-metric spaces (the 
definition of which we recall below). This is possible by restricting the subsets of H that 
we use to so-called uniform admissible subsets of H. The set UAdm of all such forms a 
complete bounded ultra-metric space and thence we can solve the recursive world equation. 
Having solved that, we show how to define a world extension operator (g) (which will be used 
to model the syntactic ^ operator used earlier), as a fixed point of a suitable contractive 
operator. Moreover, we show that the subset UAdm of P{H) is a complete Heyting algebra 
with a commutative and monotone monoid structure, as needed for the interpretation of 
separation logic. 

Having defined semantic predicates in certain metric spaces allows us to interpret re- 
cursively defined assertions via application of Banach's fixed point theorem. 

The final core idea in the development is the interpretation of triples. Here we bake 
in the frame rules to the model by including suitable quantifications over future worlds, 
following ideas from earlier work [5] . To ensure that nested triples are modelled as semantic 
predicates, we also force the interpretation of triples to be metrically non-expansive in the 
worlds argument. In particular, predicates involving nested triples can be used in recursive 
definitions of assertions. 

4.2. Semantics of expressions and commands. The interpretation of the programming 
language is given in the category Cppo^ of pointed epos and strict continuous functionqj 

^As usual, C denote the partial order of a cpo and _L denotes the least element of a pointed cpo, ie. _L C d 
for any d. 
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\Ci ; C2\, h =^if lCi% h E {±, error} then {Cij^ h else lC2%{lCij^ h) 

[if 61=62 then Ci else CzL^/i =^ if {M [ealj C Com^ then ± 

else if (teil^ = le^^) then {C^^ h else {C^X h 

[letx=new6i, ...,e„ ±iiCj^h = let i = m.m{£ \ V/. {£<£'<£+n) ^ £' dom(/i)} 

in ICj^i,^,] {h ■ {\£= [6il^ , . . .,£+n-l= [ej^l}) 

[free ej^h =^ {e}^ ^ dom(/i) then error 

else (let h' s.t. /i = /i' • l6l^ =Hle}^)\} in /i') 

I[ei] :=e2l, ^ = if lej^ ^ dom(/.) then error else (/.[[eil^ ^ M,]) 

[let x=[e] inCj^h = if {ej^ ^ dom{h) then error else [CJ^j^^^j-jgi )] h 

[eval [6]!^ h =hi ilej^ ^ dom(/i) V /i([el^) ^ Com) then error 
else me%)){h) 

Figure 7. Interpretation of commands [CJ^ G i^eap — o Terr{Heap) 

and is the same as in our previous work [;5j. That is, commands denote strict continuous 
functions \C\^ £ Heap — o Terr{Heap) where 

Heap = Rec{Val) Val = Integers j_(B Com ± Com = Heap —oTerr{Heap) (4.1) 

In these equations, Tf.rr{D) = D ® {error}_L denotes the error monad, and Rec{D) denotes 
records with entries from D and labelled by positive natural numbers. Formally, Rec{D) = 
{'^NCfi^Nats+ i^^^i)) ± where {N^D^) is the cpo of maps from the finite address set N to 
the cpo = D—{1.} of non-bottom elements of D. We use some evident record notation, 
such as i\£i=di, . . . ,£n=dn\} for the record mapping label £i to di, and dom(r) for the set of 
labels of a record r. The disjointness predicate r^r' on records holds if r and r' are not _L 
and have disjoint domains, and a partial combining operation r • r' is defined by 

r ■ r' ="^ if r # r' then r U r' else _L . 

The interpretation of commands is repeated in Figure [7] (assuming h ^ 1.) and below we 
point out where this interpretation deviates from the norm. Firstly, the new statement 
uses a deterministic allocator which, however, can not be controlled by the programmeiH 
which is important to ensure that allocation respects the frame rule. Any deterministic 
allocator would work here, but note that in our denotational semantics we can only work 
with deterministic allocation. The semantics of the if statement is divergence if one of the 
expressions in the test is a command. If we wanted to raise an error in this case (which is 
more appropriate), we would have to include type checking into the logic due to our fault 
avoiding semantics of triples. We decided not do this here as it would clutter the rules 
with type checking assertions like int(e) or com(e) which are true in case expression e is an 
integer valued expression or a command, respectively. 



This means that there is no way to stipulate what the new location is as this must depend solely on the 
already allocated locations. 
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The interpretation of expressions is entirely standard with the exception of the quote 
operation, 'C, that uses the injection of Com into Val. Thus, the semantic equations for 
expressions are omitted. 

A solution to equation (j4.ip for Heap can be obtained by the usual inverse limit con- 
struction [29] in the category Cppo_|_. This solution is an SFP domain (e.g., [31]), and 
thus comes equipped with an increasing chain 7r„ : Heap — )• Heap of continuous projection 
maps, satisfying ttq = -L, UnGo; = "^dueap, and 7r„ o vr™ = -Krainin^m} ■ The image of each 
TTn is finite, hence each 7r„(/i) is a compact element of Heap. Moreover, the projections are 
compatible with composition of heaps: we have 7r„(/i • h') = vr„(/i) • 7r„(/i') for all h, h' . 

4.3. Semantic domain for assertions. A subset p C Heap is admissible if _L € p and if p 
is closed under taking least upper bounds of cj-chains. It is uniform [6j if it is closed under 
the projections, i.e., if /i G p implies iTn{h) G p for all n. We write UAdm for the set of all 
uniform admissible subsets of Heap. For p € UAdm, denotes the image of p under vr^. 
Note that uniformity means p^^] ^ P, and that p^^] G UAdm. We may regard any subset 
p C Heap (not necessarily uniform or admissible) as a subset of Tf-rriHeap) in the evident 
way. 

The uniform admissible subsets will form the basic building block when interpreting 
the assertions of our logic. As we have already described informally above, assertions in 
general depend on invariants for stored code. Thus, the space of semantic predicates Pred 
will consist of functions W — >■ UAdm from a set of "worlds," describing the invariants, to 
the collection of uniform admissible subsets of heaps. But, the invariants for stored code 
are themselves semantic predicates, and the interaction between Pred and W is governed by 
(the semantics of) 0. Hence we seek a space of worlds W that is "the same" as — )• UAdm. 
We obtain such a W using metric spaces. 

Recall that a 1-bounded ultrametric space {X, d) is a metric space where the distance 
function d : X x X — ?> R takes values in the closed interval [0, 1] and satisfies the strong 
triangle inequality d{x,y) < inax{d{x, z),d{z,y)}, for all x,y,z E X. An (ultra-) metric 
space is complete if every Cauchy sequence has a limit. A function / : Xi — > X2 between 
metric spaces {Xi,di) and {X2,d2) is non-expansive if for all x,y £ Xi, d2{f{x),f{y)) < 
di{x,y). It is contractive if for some 6 < 1, d2{f{x),f{y)) < 6 ■ di(x,y) for all x,y € Xi. 
By the Banach fixed point theorem, every contractive function f : X —?■ X on a non-empty 
and complete metric space {X, d) has a unique fixed point. 

The complete, 1-bounded, non-empty ultrametric spaces and non-expansive functions 
between them form a Cartesian closed category CBUlt. Products in CBUlt are given by 
the set-theoretic product where the distance is the maximum of the componentwise dis- 
tances. The exponentials are given by the non-expansive functions equipped with the 
sup-metric, i.e., the exponential (Xi,di) — )• {X2,d2) has the set of non-expansive func- 
tions from [Xi,di) to {X2,d2) as underlying set, and distance function: dxi^X2if\ 9) = 
sup{d2ifix),g{x)) I X G Xi}. A functor F : CBUlt°^ x CBUlt — > CBUlt is locally non- 
expansive if d{F{f,g),F{f',g')) < max{d{f,f'),d{g,g')} for aU non-expansive f,f',g,g', 
and it is locally contractive if d{F(f,g),F{f',g')) < 6 ■ max{d{f,f'),d{g,g')} for some 
6 < 1. The functor that results from composing a locally non-expansive functor with a 
locally contractive one is locally contractive. By multiplication of the distance function of 
an ultrametric space (X, d) with a shrinking factor 5 < 1 one obtains a new ultrametric 
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space, 6 • {X, d) = {X, d!) where d'{x, y) = 5 ■ d{x, y). Using this operation, a locally contrac- 
tive functor {5-F){Xi,X2) = 6-{F{Xi,X2)) can be obtained from any locally non-expansive 
functor F. 

The set UAdm of uniform admissible subsets of Heap becomes a complete, 1-bounded 
ultrametric space when equipped with the following distance function: 

'2-max{je<^ I P[i\=q[i\} [f p ^ g 

otherwise 



d{p, q) 



Note that d is well-defined: first, because ttq = -L and -L G p for all p G UAdm the set 
{i £ oj \ p[ij = q^ij} is non-empty; second, this set is finite, because p q implies p^ij 7^ q^] for 
all sufficiently large i by the uniformity of p, q and the fact that the limit of the projections 
TTj is the identity on Heap. 

Theorem 4.1 (Existence of recursive worlds). There exists an ultrametric space W and 
an isomorphism l from ^ • (VF — > UAdm) to W in CBUlt. 

Proof. By an application of America & Rutten's existence theorem for fixed points of locally 
contractive functors [l], applied to the functor F{X^ Y) = ^-(X — )■ UAdm) on CBUlt. See [6] 
for details of a similar recent application. □ 

We write Pred for ^ • {W — > UAdm) and i^^ : W = Pred for the inverse to l. 

Definition 4.2 (Approximate equality, [6]). For an ultrametric space {X,d) and n € a; we 
use the notation x = y to mean that d{x,y) < 2~". 

We conclude this subsection with a number of simple but useful observations, which 
will be used repeatedly in the following proofs. By the ultrametric inequality, each = is 
an equivalence relation on X. Moreover, if n < m then = D =, and x = y if and only if 
X = y for all n G uj. Since all non-zero distances in UAdm are of the form 2~" for some 
n & uj, this is also the case for the distance function on W. Therefore, to show that a 
map is non-expansive it suffices to show that f{x) = f{y) whenever x = y. Finally, the 
definition of Pred has the following consequence: for p,q ^ Pred, p = q holds if and only if 
p{w) q{w) for all w G W. 



4.4. Separating conjunction and invariant extension. For p,q UAdm, the separat- 
ing conjunction p* q is defined as usual, by 

def 

h ^ p* q <^ /i2. h = hi ■ h2 A /ii G p A h2 & q. 

This operation is lifted to non-expansive functions pi,P2 S Pred pointwise, by letting 
(pi *P2){w) = Pi{w) *p2{w). This lifting is well-defined, and moreover determines a non- 
expansive operation on the space Pred: 

Lemma 4.3 (Separating conjunction). If p, g G Pred then p * g G Pred. Moreover, the 
assignment oi p,q to p * q is a non-expansive operation on Pred. 

Proof. As a preliminary step one shows that separating conjunction on UAdm is well- 
defined, i.e., ifp, ^ G UAdm then so is p*q: The admissibility oip*q follows from ± = 
and from the fact that (non-±) heaps are only comparable with respect to the order on Heap 
if they have equal (finite) domains. More precisely, any chain Q hi Q . . . in p * q must 
have a subsequence {hi^)k = {h^^ ■ h'l^)k that splits into chains h[^ ^ h^^ \^ . . . in p and 



NESTED HOARE TRIPLES AND FRAME RULES FOR HIGHER-ORDER STORE 



21 



h'l^ Q h'-^ Q . . . in q. The combination of their respective lubs in p and q is the lub of the 
/ifc's, and therefore in p * q by the admissibihty of p and q. The uniformity of p * g is a 
consequence of the equation 7r„(/ii ■ /12) = 7r„(/ii) • iTn{h2) £ p* q. 

We now show that for p,q G Pred, p*q is a non-expansive function. Suppose Wjw' £ W 
such that w = w', and suppose 7r„(/i) € (p * q){w) = p{w) * q{w). We must show that 
vr„(/i) € (p * q){w'). By definition of * on UAdm there exist /ii G and /i2 € ^C^^) such 

that vr„(/i) = /ii • /i2. By uniformity, we also have vr„(/ii) € and vr„(/i2) € (J'(if^). Since 
we assumed w = w' , this yields 

vr„(/ii • h2) = vr„(/ii) • 7r„(/i2) G * Q'(if') = (p* q)iw'). 

Finally, since 7rn(/i) = 7rn(7rn(/i)) = TTn{hi ■ h2), the statement 7rn(/i) G (p * q){w') follows. 

To see that separating conjunction is non-expansive, assume that p = p' and q = q' for 
arbitrary p,p', (7, € Pred. We must show that p*g = p'* (7'. Since Pred = ^ ■ (VF —)• UAdm) 

n— 1 

we can equivalently show that p{w) * q{w) = p'{w) * q'{w) for all w G W . This follows 
from the assumption that p = p' and q = q' and the fact that TTn-i{h) = vr„_i(/ii) • TTn-i{h2) 
whenever /i = /ii • /12 . Q 

The corresponding unit for the lifted separating conjunction is the non-expansive func- 
tion emp = Xw.{^ 1} , _L}, i.e., p * emp = emp *p = p holds for all p G Pred. We let the world 

def 

emp = i{emp) be its image under the isomorphism. 

The following lemma introduces semantic analogues of the syntactic invariant extension 
operation P (Si R and the invariant combination R o R'. 

Lemma 4.4 (Invariant combination and invariant extension). There exists a non-expansive 
map o : W X W ^ W and a map (81 : Pred x — > Pred that is non-expansive in its first 
and contractive in its second argument, satisfying the equations 

r o r' = 1(1"^ (r) ^ r' * L^^{r')) and (p r)(w) = p{r o w) 

for all p G Pred and r,r' £W. 

Proof. The defining equations of both operations give rise to contractive maps, which have 
(unique) fixed points by Banach's fixed point theorem. More precisely, consider the endo- 
function " on the function space W x W ^ W , defined for all o g {W xW^ W) and all 
r,r' eW by 

ror' = L{{Xw.i^^ {r)(r' o w)) * L^^{r')) . 

Note that o is indeed a non-expansive function, i.e., an element of the function space 
(W X ly — >• W): if r = s and r' = s' then r' o w = s' o w holds in W, for all w G W, 
and L~^{r) = i~^{s) and i~^{r') = l~^{s') holds in Pred. Since separating conjunction is 
non-expansive by Lemma 14.31 the approximate equality 

{Xw.L-\r){r' o w)) * r\r') {Xw.r\s){s' o w)) * r^s') 

holds in — )• UAdm, so that ror' = sos' in W. 

We show that the function ~ is contractive. Assume that o;^ = 02 holds inW xW ^ W; 
we must show that oi o^. Let r,r' G W be arbitrary. Then by the sup-metric on 
ly X — )■ it suffices to prove that r ojr' "'=^ ro^r' holds in W, or equivalently, that 

{Xw.L~^{r){r' oi w)) * i''~^{r') = {Xw.i^^{r){r' 02 w)) * L^^{r') 
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holds m W ^ UAdm. By the non-expansiveness of separating conjunction (Lemma 14. 3p 
and the sup-metric on — )• UAdm, this follows since r' oiw = r' 02 w holds for sdl w gW 
by the assumption that = 02, and hence L~^{r){r' w) = L~^{r){r' 02 w) holds. 

By contractiveness of ~ and the Banach fixed point theorem, there exists a unique non- 
expansive map o satisfying ror' = ror'. We can now define the operation ® : Pred x — > 

def 

Pred hy p®r = \w.p{row) for allp € Pred and r G W , from which the required equivalences 
follow: 

ror' = ror' = i{\w.i~^{r){r' o w) * i~^{r')) = i{i~^{r) ® r' * i~^{r')) 

Finally, we note that ii p = p' and r = r' then p<^r = p' ®r' for k = min{n, m + 1), i.e., 
the operation is non-expansive in its first argument and contractive in its second argument. 
To see this, suppose p = p' holds in Pred and r = r' holds in W. Without loss of generality 
we may assume n > 0, so that p = p' holds in 1^ ^ UAdm. By non-expansiveness of o it 
follows that r o w = r' o w for all w, and therefore Xw.p{r o w) ^ = ' Xw.p'{r' o w) in 
W UAdm. Hence p0 r ^ = ~^ p' 0r' holds in Pred as required. □ 

The following lemma establishes key properties of the two operations o and that we 
defined in Lemma |4.4[ These properties provide a semantic explanation of the distribution 
axioms given in Figure [2j 

Lemma 4.5 (Monoid structure and monoid action). {W,o, emp) is a monoid in CBUlt. 
Moreover, ® is an action of this monoid on Pred. 

Proof. First, emp is a left-unit for o, since 

empor = l{{Xw.l~^ {emp){r o w)) * (r)) = i(t~^(r)) = r. 

Using this fact, it is easy to prove that it is also a right-unit for the o operation: 

r o emp = L{Xw.i~^ {r){emp o w) * (emp)) = l{Xw.l^^ {r){w) * emp) = r. 

Next, we prove by induction that for all n G w, o is associative up to distance 2~", from 
which associativity follows. By the 1-boundedness of W the base case is clear. For the 
inductive step n > 0, by definition of the distance function on Pred it suffices to show that 

for all w € W, i'^^dr o s) o t){w) i^^(r o (s o t)){w). This equation follows from the 
definition of o as follows: 

t~^{{r o s) o t){w) = L~^{r o s){t ow)* L^^{t){w) 

= L~^{r){s O (t O w)) * L^^{s){t ow) * L~^{t){w) 

= L^^{r){s O (t o w)) * L^^{s o t){w) 

i^^{r){{s ot)ow)* i~^{s o t)(w) 
= L^^{r o (s o t)){w) . 

The second last step in this derivation is by the inductive hypothesis, using the non- 
expansiveness of L~^{r). 

That (S" forms an action of W on Pred follows from these properties of o. First, p<^ emp = 
Xw.p{emp o w) = p since emp is a unit for o. Second, 

(]3 (g) r) (g) s = Xw.p{r o (s o w)) = Xw.p{{r o s) o w) = p {r o s) 
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by the associativity of o. □ 

4.5. Semantics of triples and assertions. Since assertions appear in the pre- and post- 
conditions of Hoarc triples, and triples can be nested inside assertions, the interpretation 
of assertions and the validity of triples must be defined simultaneously. To achieve this, we 
first define a notion of fault-avoiding semantic triple. 

Definition 4.6 (Semantic triple). A semantic Hoare triple consists of predicates p,q & Pred 
and a strict continuous function c G Heap —o Terr{Heap), written {p}c{q}. For w G W, a 
semantic triple {p} c {q} is forced by w, written w \= {p} c {q}, if for all r G UAdm and all 
h G Heap: 

h G p{w) * L~^{w){emp) * r c{h) G Ad{q{w) * i^^{w)(emp) * r), 

where Ad(r) denotes the least downward closed and admissible set of heaps containing r. 
A semantic triple is valid, written \= {p}c{q}, ii w \= {p}c{q} for all w G W. We extend 
semantic triples from Com = Heap -o TerriHeap) to all d G Val, by u; |= {p}d{q} iff d = c 
for some command c G Com and w \= {p} c{q}. 

A triple holds approximately up to level k, w \=k {p}d{q}, w \= {p} TTk] d;TTk {q}. 

Thus, semantic triples bake in the first-order frame property (by conjoining r), and 
"close" the "open" recursion (by applying the world w, on which the triple implicitly de- 
pends, to emp). The semantics also ensures that if a triple holds the command in question 
must not have produced error as result. One calls such a semantics fault-avoiding and this is 
one of the intrinsic features of Separation Logic. In our case fault-avoidance follows directly 
from the fact that semantics of assertions indexed by worlds lives in UAdm that ranges over 
heaps and does not include value error. The admissible downward closure that is applied to 
the entire post-condition is in line with a partial correctness interpretation of triples. In par- 
ticular, it entails that the sets {c G Com \ w \=k {p} c {q}} and {c G Com \ w \= {p} c {q}} 
are admissible and downward closed subsets of Com. 

Since there is a closure operation applied to the post-condition of semantic triples, but 
no similar closure used in the pre-condition, it may not be immediate that proved commands 
compose. The following characterisation is helpful, for instance when proving soundness of 
the rule of sequential composition. 

Lemma 4.7 (Closure). If f:D ^ D' is a strict continuous function, q C D' is an admissible 
and downwards closed subset of D', and p C D is an arbitrary subset of D, then f{p) C. q 
implies /(Ad(p)) C q. 

Proof. Since / is continuous, the pre- image f~^{q) of q is admissible and downward closed. 
Prom the assumption that f{p) Cq' it follows that f~^{q), and thus Ad(p) C f~^{q) as 
the former is by definition the least admissible and downward closed subset of D containing 
p. Thus, if /i G Ad{p) then f{h) G g. □ 

Observe that w \=k {p}d{q} provides indeed an approximation of the judgement w \= 
{p}c{q}, in the sense that w \= {p}c{q} is equivalent to VA; G w. u) \=k {p}c{q}. Pinally, 

semantic triples are non-expansive, in the sense that if w^=^w' and w {p} c {q}, then 
w' \=n{p} ^{Q}'y they are similarly non-expansive in the pre- and post-conditions p and q. 
This observation plays a key role in the following definition of the semantics of nested triples. 
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Lemma 4.8 (Non-expansiveness of semantic triples). Let Wjw' G W such that w"'= w'. 
Let p,p', q, q' E Pred be such that p = p' and q = q'. If w {p} c {q}, then w' {p'} c {q'}. 

Proof. Let w,w' ,p,p' ,q and q' be as in the statement of the lemma, and let c : Heap -« 
Terr{Heap) be such that w \=n {p}c{q}. To prove that w' \=n {p}c'{q}, suppose r € 
UAdm and h G Heap are such that h € p'{w') * i^^{w'){emp) * r. We have to show that 
7rn(c(vr„ /i)) G Ad(g'(t(7') * i~^{w'){emp) * r). 

Since w"=^ w' holds by assumption, we have L~^{w'){emp) = L~^{w){emp). Hence, 
by the non-expansiveness of p, by the assumption p = p' , and by the compatibility of the 
heap combination operation with projections, we have vr„(/i) G p{w) * L~^{w){emp) * r. 
By the assumption that w \=n {p}c{q} and since vr^ o 7r„ = 7r„, this yields 7r„(c(7r„ h)) G 
Ad{q{w) * L^^{w){emp) * r). Using the non-expansiveness of q, the assumption q = q', 
uniformity of r, and the fact that i~^{w){emp) = i^^{w'){emp), we know that 7r„(/i') G 
q' {w')* {w'){emp)*r holds whenever h' G q{w)*i~'^{w){emp)*r. Thus, using 7r„o7r„ = 7r„ 
again, 7r„(c(7r„(/i))) G KA{q'{w') * i~^{w'){emp) *r) holds by Lemma \T7l\ and the continuity 
of the projection 7r„. □ 

Assertions (without free relation variables) are interpreted as elements [PJ^ G Pred. 
More generally, assume that the free relation variables of P are contained in H = Xi, . . . , X^, 
where the arity of Xi is rii . Then P denotes a non-expansive function from Jlx es P^^^d^ ' 
to Pred. Note that (UAdm, C) is a complete Heyting algebra (as shown in Appendix IB. H 
Lemma IB.ip . Using the pointwise extension of the operations of this algebra to the set 
of non-expansive functions W — > UAdm, we also obtain a complete Heyting algebra on 
Pred = ^ • {W UAdm) which soundly models the intuitionistic predicate part of the 
assertion logic. (See Appendix IB.H Lemma lB.21 for details.) The monoid action of W on 
Pred serves to model the invariant extension of the assertion logic. 

Remark 4.9. While UAdm (and hence Pred) is a complete Heyting algebra, it is not a 
complete Heyting BI algebra, as usually assumed for the interpretation of the assertion 
language in separation logic |22j . More precisely, what is missing is the right adjoint ("magic 
wand") for the monoid operation *: the candidate operation, 

p^q = {h \yn £ oj.Mh' G Heap, if Unih') £ p A 7r„(/i) #iTn{h') then 7r„(/i • h') G q} , 

alas, fails to be non- expansive. This is a particularly annoying shortcoming of our model 
since this spatial implication is important when dealing with shared memory. For instance, 
(P -* Q) * (-P -* -R) * -P expresses that R and Q overlap in shared part P. Recently, we have 
constructed an alternative model of our logic, based on an operational semantics of the 
programming language and using the ideas of step-indexing, where the right adjoint does 
exist. 

In order to define an interpretation of nested triples we use the following definition: 

Definition 4.10 (Rank of a heap). If /i is a compact element of Heap, then the least n for 
which iTn{h) = h is the rank of h, abbreviated rnk{h), otherwise the rank is undefined. 

The interpretation of assertions is spelled out in detail in Figure El The interpretation 
of a nested triple {P} e {Q} is not independent of the heap, unlike the (more traditional) 
semantics of "top-level" triples, i.e. \= {p} c {q}. More precisely, the definition in Figure [8] 
means that triples as assertions depend on the rank of the current heap. This is necessary to 
provide a non-expansive function from W to UAdm. Simpler definitions of the interpretation 
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Figure 8. Semantics of assertions 



of triples, like {h G Heap \w \= {iPjj^ p} [ej^ {IQlrjp}}' heap independent but not 
non-expansive. A similar approach has been taken in [6] to force non-expansiveness for 
a reference type constructor for ML-style references. We discuss the ramifications of this 
choice in Section [5l Note also that the only atomic assertions that depend on the world w 
are triples, as they are the only ones that are affected by invariants. 

Lemma 4.11 (Well-definedness) . The interpretation in Figure [8] is well-defined: 

(1) li the free relation variables of P are contained in H = Xi, . . . , Xn then [[-P]]^ denotes a 
non-expansive function from J^j^.g^ Pred^^"' to Fred. 

(2) li P is formally contractive in X then the functional \q. \P\r, p[x-=q] is a contractive 
map from Pred^^**' ^ to Fred. 

Proof sketch. Both parts are proved simultaneously by induction on the structure of P. The 
second part is used to show the well-definedness of recursive specifications, using the fact 
that the fixed point operator itself is non-expansive. Details are given in Appendix IB. 2[ □ 

As a consequence of the interpretation of triples, the axiom {{A} e {B} A A\ e {B} does 
not hold; the inner triple is only approximately valid up to the level of the rank of the 
argument heap. Similarly, the following rule 

{A}e{B}^{P}e'{Q} 
{{A}e{B}^P}e'{Q} 
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is not validated by our semantics (the opposite direction actually holds; see Section [5]). 
Axioms and rules like these are used, e.g., by Honda et al. [12], in proofs for recursion 
through the store; instead we use (Eval). 

4.6. Soundness of the axioms and proof rules. We prove soundness of the axioms 
and proof rules listed in Sections [2] and [3j We start by defining a notion of validity for 
judgements and rules with respect to which the soundness will be shown. 

Definition 4.12 (Validity of judgements). A judgement H;r h {P} 'C {Q} is valid if, 
and only if, for all r] € Env such that dom(ry) 2 T and for all p € Oxies such 
that rii is the arity of Xi we have \= {IP}^ p} {C}^ ilQlr] p}- then called sound 

if validity of judgement Ji implies the validity of judgement J2. Similarly, an axiom J is 
called sound if judgement J is valid. 

Below we prove the most interesting rules of our logic sound. Where proofs are para- 
metric in the assertions we will directly work with semantic Hoare triples. 
Let us first consider the distribution axioms for — R given in Figure [2j 

Lemma 4.13 (Distribution axioms). The distribution axioms for — <S> R are valid. 

Proof. We consider the case of invariant extension and triples: 

• The validity {P <^ Q) <Si R P {Q o R) is an instance of the fact that (8) is a monoid 
action (Lemma 14. 5p . 

• The validity of {P} e {Q} ® R {P o R\ e {Q o R] follows from the following claim: for all 
p,q,r G Pred, strict continuous c : Heap — o T^rriHeap) and all w G W, i{r)ow \= {p} c {q} 
if and only iiw \= {p <^ i{r) * r} c {g (8) i{r) * r}. The proof of this claim uses the property 

Vp. {p ® i{r) * r){w) * {w){emp) = p{i{r) ow) *■ L^^{i{r) o w){emp) . 

This property is a consequence of the definitions of (8 and o: 

{p (8 L,{r) * r){w) * i^"^ {w){emp) = {p® i{r)){w) * r{w) * l^^ {w){emp) 

= p{i{r) ow) * r{w o emp) * l^^ {w){emp) 

= p{i{r) o w) * {r (S> w){emp) * l^^ {w){emp) 

= p{i{r) o w) * {r * L^^{w)){emp) 

= p{i{r) o w) * t~"^(t(r) o w){emp) . 

The proofs of the remaining distribution axioms are easy since the logical connectives are 
interpreted pointwise, and since emp and (ei i-> 62) are constant. □ 

Next, we consider the proof rules for higher-order store given in Figure [6l 

Lemma 4.14 ((^i-Frame). The (8i-Frame rule is sound: if /i € p{w) for all h G Heap and 
w € VF, then h G [p ® i{r)){w) for all h G Heap, w (zW and r € Pred. 

Proof. Assume that h&p{w) holds for all h G Heap and w € W. Let r € Pred, w €W and 
hGHeap. We show h£ {piSi i^{r)){w). Note that we have (p® L{r)){w) = p{L{r) ow) by the 

definition of iS". So, for w''= i{r)ow, the assumption yields hGp{w') = {p® u(r)){w). □ 
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The rule ((8>-MONO), which expresses the monotonicity of in its left-hand argument, 
is in fact derivable from ((8)-Frame) and the distribution axioms. Thus, its soundness is a 
consequence of Lemmas 14.131 and 14.141 

Lemma 4.15 (*-Frame). The axiom {P} e {Q} =^ {P * R} e {Q * R} is valid for all P, Q, R, e. 

Proof. We show that for all worlds w G W, predicates p,q,r Pred and commands c G Com, 
if w\= {p} c {q}, then 'w\={p*r} c{q* r}. This implies the lemma as follows. If A: > is the 
rank of 7r„(/i) and n^h) G 1{P} e{Q}j^^^w, then w H-i {iPJr^J Mr, ilQlr^J- This lets 
us conclude w \=k~i HP * p} Mr, ilQ * -^lr?p}' which in turn implies that iTnih) is in 
l{P*R}e{Q*R}^^w. 

To prove the claim, assume w \= {p} c {q}. We must show that w \= {p* r} c{q * r}. Let 
r' G UAdm and assume 

h ^ {p* r){w) * L~^{w){emp) *r' = p{w) * L^^{w){emp) * {r{w) * r') . 

Since w \= {p} c {q}, it follows that 

c{h) G Ad{q{w) * L^^{w){emp) * {r{w) * r')) = Ad((g * r){w) * {w){emp) * r') , 

which establishes w \= {p * c {q * r}. □ 

Lemma 4.16 (Eval). Suppose that R[k] =^ {P * R[J^} k {Q^ is a valid implication. 
Then, if there are no free occurrences of k, also {P * e i— > R[J\} 'eval [e]' {Q} is valid. 

Proof. Let w G W , rj G Env and r G UAdm. Let p be a suitable assertion environment. Let 
/i G IP * e ^ P[4}rj p ^ * {w){emp) * r, so that h = h' ■ h" for some h' and h" such that 

/i' G [e ^ R[-\^pW and h" G lP\pW * r^{w){emp) * r. (4.2) 

We must show that [eval [e]}^ h G Ad([[(5]]^ ^ w * i~^{w){emp) * r). Recall that e ^ R[J\ 
abbreviates B/c.e i— )■ kf\R[k] for fresh k. By (j4.2p we have for all n > such that 7r„(/i') ^ ±: 

[e]]^ G dom(^„(/i')) = dom(/i') C dom(/i) (4.3) 

3dn. T^nmMr,) = -^nih'Wlr) ^ and vr„(/i') G (4.4) 

Let us denote ri[k := d„] by r/n- The assumption that R[k\ ^ {P * ei-^ ^[-]} ^ {Q} is valid 
yields: 

vr„(/i')Gmi,„,,u; implies 7r„(/i') G [{P * e ^ A; Ml,„,p ^ 

Therefore, by (|4.4p . 7rn(/i') G \{P * R[J\} k {Qy^^^^w holds for ah n sufficiently large. 
Let r„ be the rank of 7r„(/i'). Since irn{h') 7^ _L we have r„ > 0. It follows that 

Vn. w ^ {IP * R[_]l^^j7rr„-i;dr,;7rr„^i{lQj^^J . 

Since 

^n(/i')(Nr,) =^r„(^n(/i'))(H„) E^r„-i;dn;7r,„_i , (4.5) 

the downward closure of semantic triples in the command argument gives 

Vn. w^{lP*e^ RUh^J ^n{h')M^) {IQl^J . 
Since k was chosen fresh, by the admissibility of semantic triples we thus obtain 

Vn. w^{lP*e^R[.]}^Jh'{le}^){lQ}^J . (4.6) 



28 



J. SCHWINGHAMMER, L. BIRKEDAL, B. REUS, AND H. YANG 



In particular, (j4.6p entails that /i([[el|^) = /i'([[el|^) G Com, and thus [eval [e]]]^ /i = 
h'{le}^){h). Since we assumed that h G IP * e i-^ R[J\l^pW * L~^{'w){emp) * r, we can 
conclude [eval [e]j^ h G AdHQj^^^w * r^{w){emp) * r) by (ji^ . □ 

The soundness of the standard Hoare logic rules is straightforward. We illustrate this 
for the sequencing rule next. 

Lemma 4.17 (Sequencing). Provided {P} 'C {R} and {R} 'L*' {Q} are valid, then so is 
{P}'C;Z)'{Q}. 

Proof. Let r/ G Env, w G W let p be an assertion environment, and let r G UAdm. Let h G 
[PJ^ p ('"^) * '-~"'^(w)(emp) *r. We must show that [C; Z)]]^ /i G Ad([[(5I|^ p (if ) * (u')(emp) * 
r). First note that [C]]^ /i G Ad([[i?]]^ ^ (w) * L~'^{w){emp) * r), by the assumption that 
{P} 'C {i?} is valid. In particular, [CJ^ /i 7^ error. Moreover, in the case where [CJ^/i = 
± we also have [[C;/^]]^/! = _L by the semantics of sequential composition, so that the 
admissibility of Ad([[(5]]^^ (w) * L~^{w){emp) * r) gives the result. 

Thus, we can assume that lC]D}^h = iDj^dCJ^h). From the assumption that 
{R}^D' {Q} is valid it follows that ID}^ maps the set {lR}j^p{w) * L~^{w){emp) * r) into 
Ad{lQj^ p (w) * L~'^{'w){emp)*r). Since ICj^h G Ad{lRj^^p{w) * L^^{w){emp) * r) we ob- 
tain iDj^ {IC% h) £ Ad{lQ}^ p (w) * L~^{w){emp)*r) by Lemma[121and continuity of {D}^. 

□ 

The proofs for the remaining rules from Figure [3] are similar, and given in Appendix 
IB.3I An exception is the rule of consequence: The soundness proof of rule (Conseq) is 
slightly different from those of the others because (Conseq) involves an implication between 
triples, whereas the other rules are inference rules for transforming valid Hoare triples. Due 
to the pointwise interpretation of implication and the inclusion of the approximations in the 
interpretation of triples, this form of the consequence rule could be potentially problematic. 
Our proof of (Conseq) overcomes this potential problem, by exploiting the fact that the 
rule is "parametric" in the command, i.e., it is the same command that appears in all 
the triples of the rule. Two further cases that are similar in this respect are the axioms 
(ExistAux) for the elimination of auxiliary variables and (Disj); see Appendix IB. 3 1 

Lemma 4.18 (Consequence). If P' P and Q =^ Q' are valid implications, then so is 
{P}e{Q}^{P'}e{Q'}. 

Proof. Let r] G Env, p an assertion environment, and &x w &W and n > 0. Let p = [P]]^ p, 
P' = lPX,p^ Q = lQ%,p and q' = lQ%^p, and assume that 7r„(/i) G l{P}e{Q}j^w. We 
must prove that nn{h) G [{P'} e {Q'}]]^ tn. 

Let k denote the rank of 7r„(/i). Without loss of generality, we can assume A; > 0. Let 
c denote the command vTfc-i; [ej^ ; iTk-i- Then the assumption yields w \= {p} c{q}, and it 
suffices to establish w \= {p'}c{q'}. For this, suppose that r G UAdm and let h' G p'{w) * 
L~^{w){emp)*r. We must show that c(/i') ^ Ad{q'{w)*i~^{w){emp)*r). By the assumption 
that P' =^ P is valid, we also have h' G p{w) * i~^{w){emp) * r by the monotonicity of *. By 
assumption, c{h') G Ad{q{w) * i~^{w){emp) * r). By the assumption that Q ^ Q' is valid, 
and using monotonicity of * and Ad(-), we obtain c(h') G Ad{q'{w) * L~^{w){emp) * r) as 
required. □ 
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5. Proof Rules involving different Nesting Levels 

The soundness of rule (Eval) as shown in Lemma |4. 161 involves an assertion R that is used 
at different nesting levels in its hypothesis and conclusion. In this section we discuss two 
further proof rules that relate nested triples to top-level implications in a similar way: 

OUT-T IN-T 

E;r h {{A} d {B} A P}e{Q} E;T h {A} d {B} ^ {P} e {Q} 

H; r h {A} d {B} ^ {P} e {Q} H; F h {{A} d {B} A P} e {Q} 

While, at first glance, both rules may seem reasonable, we will show below that in our 
model rule (OuT-T) is valid but rule (IN-T) is not. We begin by making some observations 
regarding the semantics of nested triples. 

Lemma 5.1. For any w G W,p,q € Fred and c G Com we have that w \=k {p}c{q} if and 
only if for all r € UAdm, n < k and all h £ Heap: 

7Tn{h) G p{w) * L^^{w){emp) * r =^ 7rn{c{7rn{h))) €^ Ad{q{w) * L^^{w){emp) * r). 

Proof. For the direction from left to right, let n < k. Using the assumption and vr„,(/i) € 
p{w) * i^^{w){emp) * r we obtain vrfc(c(7rfc(7r„(/i)))) G Ad(g(u;) * i~^{w){emp) * r), thus 
'^k{c{'Kn{h))) G Ad{q{w) * i~^{w){emp) * r) and by downward-closure also 7r„(c(7r„(/i))) G 
Ad{q{w) * L~^{w){emp) * r). 

For the direction from right to left, let h G p{w) * L^^{w){emp) * r. By uniformity we 
know that for all n G w also iTnih) G p{w) * L~^(w){emp) * r. We thus know by assumption 
that vr„(c(7r„(/i))) G Ad(q{w)*i~^{w){emp)*r) for n < k and thus in particular for n = k.\Z\ 

Definition 5.2. A predicate p G Fred is pseudo pure if for all h,h' G Heap such that 
rnk{h) = rnk{h') and all w € W we have that h G p{w) if, and only if, h' G p{w). An 
assertion is pseudo pure if its denotation is a pseudo pure predicate. 

In the following, (p will always stand for an assertion that is pseudo pure. Note that the 
typical examples for pseudo pure assertions are triples. Obviously, every pure (i.e., entirely 
heap-independent) assertion is trivially also pseudo pure. Assertions that depend on the 
shape and content of the heap itself, e.g. x i-> _, are not pseudo pure. We also observe that 
the interpretation of a pseudo pure assertion is downward closed in the rank itself: 

Lemma 5.3. For any pseudo pure assertion p, and any heaps h and h\ if rnk{h') < rnk{h) 
then h G p{w) implies h' G p{w). 

Proof. Suppose h G p{w), and let n = rnk{h') < rnk{h). Thus we have rnk{'TTn{h)) = n. 
Since iTnih) G p{w) by uniformity, we can conclude h' G p{w) from the assumption that p 
is pseudo pure. □ 

With the definition of pseudo pure in place, we can now generalise the rules (OuT-T) 
and (In-T) in the following way: 

Out In 

E;Th{<pAP}e{Q} H; F h ^ {P} e {Q} 

pseudo pure] — ■ — — — r7rr(0 pseudo purej 



E;Th4>^{P}e{Q}'^ ^ " ' E;T h {4> A P} e {Q} 
Proposition 5.1. The above rule (Out) is sound. 

Proof. Assume environments rj and p, let n u},w (z W and h G Heap be such that 

^n{h) G l<t>%^^ w (5.1) 
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We have to show that TTn{h) G [{-P} e {Q}!^ p w. Let k denote the rank of Tin{h). If A; = 
we are done. Otherwise we have to show that w \=k-i {\P\n p\ I^lr? {IQlrypI- W the 
observation in Lemma 15. H it suffices to show for any heap h' and any / < A; — 1 that if 
7r/(/i') G lPir,,p H * i~^{w){emp) * r then 7ri{c{TTi{h'))) G Ad([[Ql^_^ (w) * L-^{w){emp) * r). 
From the interpretation of the premise of the rule using ij, w and / we get the desired result 
if we can show that 7r/(/i') G [-Pl^p {w) * i~^{w){emp) * r implies iTi{h') G [0 A PJ^^ p (w) * 
i~^{w){emp) * r. Yet, iTi{h') G {w) follows from Lemma [5^ due to assumption (jS.ip . 

the fact that (j) is pseudo pure, and the fact that rnk{TTi{h')) < I < k = rnk{TTn{h)). □ 

Proposition 5.2. The rule flNj does not hold in our model. 

Proof. Assuming that (In) holds in our semantics we can derive an invalid triple as follows. 
Let R abbreviate the recursive assertion ^X.{X} 'skip' {false}. Then, from the tautol- 
ogy R ^ R we obtain R =^ {R} 'skip' {false} by unfolding the recursive definition of R. 
Applying (In) and the consequence rule thus gives 

h {R} 'skip' {Me} (5.2) 

Our model validates the implication emp R: By definition of implication, it suffices to 
prove that rn/;({|[}-) = n implies w \=n-i {IR}} [skip]] {[/akej}. Since the empty heap has 
rank 1, this implication holds trivially for any triple on the right hand side, in particular 
R. From (15. 2p and this implication we conclude that the triple {emp} 'skip' {/ake} holds, 
which is clearly not the case by definition of the semantics of triples. We conclude that rule 
(In) cannot hold with respect to our semantics. □ 

It is worth looking more closely at the reason why rule (In) does not hold in our 
semantics. Essentially, to show the triple in the conclusion at level k, one needs to show 
that in the hypothesis the formula (j) holds for a heap with rank A; + 1. But this property 
cannot be established in general from the assumptions of the triple in the conclusion at level 
kE Note that, in the case of (Eval), the corresponding property can be established since 
the heap access of the eval command offsets the increase in the rank (cf. equation (j4.5p in 
the proof of Lemma l4.16p . 

In the case where the command is arbitrary (i.e., not eval), one can express the upwards 
shift of levels explicitly with the help of a modal operator ()P ("previous P," or "P one 
level up"). This operator is defined by /i G l]OP'l^p w if and only if 

• rnkQi) = oo and h G l]i'l.^p w or 

• rnk{h) = k < oo and there exists h' G IP},^ p w such that rnk{h') = A; + 1 and 7rfc(/i') = h, 
and thus ()P denotes a downward closed, admissible predicate. With the help of the modal- 
ity, we can give variants of the above rules that keep track of the rank information: 

OOUT <}IN OE 
S;rh{0AP}e{Q} S;rh0^O{P}e{Q} 

E;Th^^O{P}e{Q} H; F h {0 A P} e {Q} E;T h ^P ^ P 

In our semantics, which still satisfies (OOut) and (OE), even this strengthened variant 
(OIn) does not hold. This is due to the following simple observation, which means that 
ranks are not preserved by the separating conjunction that is used in the interpretation of 
triples. 



Rule (In) does hold in the special case when is pure. 
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Lemma 5.4. Given a heap h = hi-h2 with rank n, such that rnk{hi) = ni and rnk{h2) = n2 
it may well be the case that ni < n or 71-2 < n. 

However, the modal rules can be proved sound with the help of a step-indexed model. In 
such a model, the ranks are replaced by an explicit natural number index that gives a lower 
bound on the number of steps that can be safely taken in an operational semantics without 
invalidating a given assertion. The slightly unintuitive implications emp =^ {P} e {Q} will 
not hold in the step-indexed model either. However, also the step-indexed model does not 
validate (In), and we conjecture that this rule renders the logic inconsistent. More details 
about step-indexed models can be found in 

It is worth pointing out that not only unintuitive implications emp =^ {P} e {Q} do 
hold in our model, but also that the so-called invariance rul(S 

Invariance 

E;Th{P}e{Q} 



H; r h {P A {A} k {B}} e{QA {A} k {B}} 

does not hold. It is only valid for invariants that are pure, so it does not hold for {A} k {B} 
nor any other pseudo pure invariant. This can be easily seen by considering the triple 

{emp} 'let X = new in [j;]:='skip' ' {Bx. xi— 7>{emp} _{emp}} 

with invariant {emp} skip {/a/se}, since the latter only holds for heaps with rank 1, for 
instance the empty heap. Unfortunately, not even the following restricted form of invariance 
holds: 



InvarianceR 

H; r h {P * ei 1-^ 62} e{Q *ei^ 62} 



pseudo pure) 



S; r h {P * (ei 62 A (j))}e {Q * (ei ^ €2 /\ 0)} 
since the semantics of triples and of 1— > does not guarantee that the data stored at [ei]], 
and thus the rank of any heap fulfilling [ei 62 A is invariant. It could still be the case 
that the result heap meeting the postcondition [ei 1— >■ 62 A has a higher rank than the 
pre-execution heap meeting the same condition. The only way to guarantee that invariance 
involving triples or other pseudo pure assertions holds is to ensure that the rank (or even 
the content) of the heap cells in question does not change during execution. Because of this 
issue we needed another update rule for programs that copy code: 
UpdateInv 

TTTi 77 ^ — 7 zri'P pseudo pure) 

H;ri-{ei-)'_*(eit->eo A(/))}'[e] := eo' {(e i-)- eo A 0) * (eii-^>eo Ac/))} 

Note that may contain the expression eo (which can also be a variable) and will typically be 
a triple {A} k {B}. The soundness of this rule follows from the soundness of the assignment 
rule (Update) and the fact that the rank of the heap with domain [[eij is not changed by 
the command. Consequently, the heap with domain [e]], which is identical to the one with 
domain [[eij after execution, satisfies 0. But this axiom is not derivable from (Update) as, 
for a pseudo pure (j), the axiom 

e 1-^ eo * (eii-)-eo A (p) ^ {e 1-^ eo A (p) * (eii-4-eo A (j)) 

does not hold for the same reasons as (InvarianceR) does not hold. 



-'^'^This should not be confused with the stronger conjunction rule which is known to be inconsistent with 
higher-order frame rules |16|). 
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6. Conclusion 

In this article we have investigated a separation logic for a simple programming language 
with higher-order store. As our counterexamples illustrate, the design of such a logic is not 
straightforward: 

• In the presence of recursive assertions, unrestricted use of a deep frame axiom permits 
the "laundering" of code, which allows for the derivation of insufficient memory footprints 
(Proposition I3.ip . 

• Higher-order frame rules are inconsistent with a classical specification logic (and hence in 
our case, due to the identification of assertion and specification language, with a classical 
assertion logic; Proposition 13. 3p . 

• In the presence of recursive assertions, one cannot move global assumptions of triples, 
expressed as implications, into pre-conditions (Proposition I5.2p . 

Note that the first two points are independent of any choice of model whereas this is not 
clear for the third point. 

In our model, we use recursively defined Kripke worlds to interpret the invariant exten- 
sion P (8> i?. In a logic without recursive assertions (and assertion variables), like the one 
considered by Birkedal et al. for Idealized Algol [7j, the invariant extension operation can 
be considered essentially as a syntactic abbreviation. In particular, it need not be treated 
as a primitive operation and recursive worlds are not needed. In a logic with second-order 
quantification, frame conditions can be made explicit in a specification, which gives rise to 
a modular proof pattern without explicit deep frame rule; this idea is discussed and used 
in, e.g., dllTO]. 

Recursive worlds similar to the ones employed here can be used to construct a model 
for Pottier's anti-frame rule, a proof rule for hiding local state from the context [20j. In 
that case, predicates must depend on the worlds in a monotonic way (with respect to an 
order on worlds defined from the composition operation o), which complicates the model 
construction considerably [281 HZ] ■ 

During the process of writing this article, it has been discovered that one can also build 
a model for the presented logic, including deep frame rules and recursive assertions, with the 
help of step-indexing [2] based on an operational semantics for the programming language. 
We have already pointed out differences regarding both models throughout the paper but 
here is a short summary. The domain model in our work uses ranks of heaps in order 
to equip semantic assertions with an ultrametric. Whereas steps are counted separately 
in the step-indexed approach, heaps, and thus their ranks, are manipulated by programs. 
This leads to some contamination of the assertion semantics that the step-index model does 
not share. First of all, we do not get a BI algebra, more precisely we do not get spatial 
implication. Secondly, triples are not pure but pseudo pure. This, in turn, means that the 
invariance rule for triples is not valid and holds only for programs that do not change the 
rank of the heap in question (as expressed in (UpdateInv)). Moreover, some unwanted 
implications between triples are validated. The (In-T) rule does not hold in either of the 
two models but it holds in [T2]. The (OIn) rule, on the other hand, does hold in the step- 
indexed model but not the presented one. Despite the complications caused by the ranks of 
heaps, the denotational model has some upsides as well. Prom earlier work one knows that it 
represents a way to combine some equational reasoning with Hoare style logics. Equational 
reasoning has been used to some extent to prove properties of the model, in particular the 
soundness of the presented rules. It remains to be seen whether the denotational models 
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have more advantages over the operational step-indexed ones regarding binary relations, 
e.g. in order to prove parametricity results. 

A detailed description of the step-indexed model and its applications will appear else- 
where in due course. 

The work of Honda et al. [12j also presents a logic for higher-order functions and general 
references, including even observational completeness, i.e. two programs are equal if they 
fulfill the same triples. The main differences with respect to the logic presented here are 
as follows. In [32j a logic for total correctness is given. Therefore, there is no need for a 
specific rule handling recursion through the store, since procedures are always proved sound 
using induction on a termination measure that the verifier needs to guess. Moreover, local 
reasoning is ignored so there are no frame rules. The follow-up work [32] addressed this 
issue, but using content quantification and not separation logic. There does not appear to 
be an implementation of the logic of |32] either. 

A variant of our logic, for a language with recursive procedures and the possibility of 
partial application, has been implemented in the Crowfoot tool [9j. This verification tool is 
mainly targeted to prove memory safety for programs with stored procedures automatically. 
In its current state it does not yet cover a full-fledged flrst-order logic. Some example 
specifications for nested triples and recursive assertions can be found e.g. in \TT\ . 
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Appendix A. Summary of Proof Rules 

Figure [9] summarizes the proof rules that we have proved sound with respect to our model. 
Not shown are the standard proof rules for (intuitionistic) first-order logic (for instance, see 
|30j ) and the distribution axioms for that appear in Figure [21 

Appendix B. Proofs 
This section contains the proofs omitted from the main part of the paper. 

B.l. Heyting algebra structure of uniform admissible subsets. 

Lemma B.l (Heyting algebra). Let / = {{||} , X}. Then ( UAdm, C) is a complete Heyting 
algebra with a (monotone) commutative monoid structure (UAdm,*, I). All the algebra 
operations are non-expansive with respect to the metric defined in Section [4.31 

Proof. Since admissibility and uniformity are preserved by taking arbitrary intersections, 
UAdm is a complete lattice, with meets given by set-theoretic intersection, least element 
{_L} and greatest element Heap. Binary joins are given by set-theoretic union, and arbitrary 
joins by \J^pi = f]{p G UAdm \ p ^ UjPj- 

The join is described more explicitly as \_\iPi = {h \ \/n € uj. iTn{h) G \JiPi}- First, 

note that the right hand side r {h \ Mn S uj. 7r„(/i) € UiP*} is an element of UAdm: r 
is uniform, i.e., /i G r implies 'nm{h) € r for all m G w, since 7r„ • VTm = T^mmin^m}- To show 
that r is also admissible suppose /iq E /ii E . . . is a chain in r, and let h be the lub of this 
chain. We must show that 7rn{h) € UiPi n G uj. By compactness, 7r„(/i) Q hk Q h 

for some k, and hence 7r„(/i) = TTn{hk) £ Up* using the idempotency of 7r„ and the fact 
that hk € r. To see the inclusion r C [J^Pi, note that for all h, if TTn{h) € IJjPi — P 
all n € a; and some arbitrary p € UAdm, then also h = U„7rn(/i) € p by admissibility, 
and hence h € \_jiPi follows. For the other inclusion, we claim that the right hand side 

def 

r = {/i I Vn G w. 7r„(/i) G UjP«} the elements appearing in the intersection; 

from this claim it is immediate that r D \_\^ pi. The claim follows since r D [J^pi by the 
uniformity of the pj's. 

def 

The implication of this complete lattice UAdm is described hy p ^ q = {h \ Vn G 
u. if TTn{h) € p then 7r„(/i) € q}: Using 7r„ • -Km = '^min{n,m} it is easy to see that p ^ q is 
uniform. Admissibility follows analogously to the case of joins: if /iq !^ /ii !^ . . . is a chain 
in p ^ q with lub h, and if n € w is such that '7r„(/i) G p then we must show that '7r„(/i) G q. 
Since '7r„(/i) C /i is compact, there is some k such that 7r„(/i) Q h/^ Q h, and thus the 
required 7r„(/i) = iTn{hk) G q follows from G p ^ q. Next, to see that p ^ qis indeed the 
implication in UAdm, first note that we have (p g) C g, using the uniformity of p and 
the admissibility oi q. li pf^r q for some r G UAdm, and h G r and TTn{h) G p for some 
n & UJ, then the uniformity of r yields TTn{h) G q. Thus we obtain |?nrCgi-^rCp=^g. 

That * is an operation on UAdm is established in the proof of Lemma 14.31 It is easy 
to check that * is commutative and associative and that it is monotone, i.e., if p C and 
(7 C g' then p* q Q p' * q'. Moreover, we have / G UAdm, and the fact that p* I = p = I *p 
follows from the definition of the heap combination h ■ h' . 

For the non-expansiveness of the algebra operations, we only consider the case of meets 
as an example. Assume p = p' and q = q' , then whenever h G pDq we have '7r„(/i) G p' and 
■Knih) G q' by assumption. Thus also pH q = p' Hq' . □ 
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*- Assoc 

*-COMM 

*-Unit 
*-Zero 
*- Overlap 

*-MONO 
(8)-MONO 

Deref 

Update 
UpdateInv 

New 
Free 
If 

Skip 

Seq 

EVAL 

CONSEQ 
DiSJ 



T\-P*{Q*R)^{P*Q)*R 

T\- P*Q ^ Q* P 

r h P * emp ^ P 

r h P * false 4» false 

r h (e ei * e 62) 4^ false 

r\- P^P' S; r h Q ^ Q' 



(x^fv(e,Q)) 



E;T\- P*Q ^ P' *Q' 

S; r h P ^ P' 

S;ri-P(8)P^P'(8)P 

H;r,xh{P*e^.x}'C'{Q} 
S; r h {3x.P *e^x} 'let x=[e] in C" {Q} 

H;rh{eh^_*P}'[e] : = eo' {et^ eo * P} 

(0 pseudo pure) 

H; r h {e _ * (eih-^eo A <^)} '[e] := eo' {(e cq A 0) * (eii-^eo A cf))} 

E;T,xh{P*x^e}^C^{Q} ^ 
H;rh{P}'letx=neweinC'{Q} ^ ^ ' ^' 

S; r h {e ^ _ * P} 'f ree(e)' {P} 

S; r h {P A eo=ei} 'C {Q} H; T h {P A ep^ei} 'D' {Q} 
H; r h {P} 'if (eo=ei) then C else £>' {Q} 

S;rh{P}'skip'{P} 

S; r h {P} 'C {i?} r h {i?} '£>' {Q} 
S;rh{P}'C;Z?'{Q} 

S;r,fc hP[yfc] ^{P*e^R[.]}k{Q} 
S; r h {P * e ^ P[_] } 'eval [e] ' {Q} 

S;r h P'^P S;r h Q^Q' 
S;r h {P}e{Q}^{P'}e{Q'} 

S;r h ({P}e{Q}A{P'}e{Q'}) ^{PVP'}e{Q VQ'} 



Figure 9. Axioms and proof rules. Rule (8)-MoNO is in fact a derived rule. 



Lemma B.2 (Heyting algebra, II). The set of non-expansive functions W UAdm, or- 
dered pointwise, forms a complete Heyting algebra with a (monotone) commutative monoid 
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ExistAux E;T h {yx.{P}e{Q})^{3x.P}e{3x.Q} (x fv(e)) 
Invariance H; r h {P} e {Q} ^ {P A i/j} e{Q A V'} {ip is pure) 
E;Th P 

(g)-FRAME 



*-Frame E;rh{P}e{Q}^{P*R}e{Q*R} 

E;r h R ^ P\X := R] E;r h S ^ P[X := S] ^ 

RUnique (P formally contr. in X) 

^',T \~ R ^ S 



Figure 9. Axioms and proof rules (cont.). 



structure. The operations are given by the pointwise extension of the corresponding ones 
on UAdm, and they are non-expansive with respect to the sup-metric on W ^ UAdm. 

Proof. We begin by showing that all the claimed algebra operations on — > UAdm are 
well-defined, i.e., that the pointwise definitions give rise to non-expansive functions from 
W to UAdm. The cases of the various units are given by constant functions and thus 
non-expansive: 

T{w) = Heap ±{w) = {±} I (w) = {{\\} , ±} 

Next, consider the case of meets. Let {pi)i<^i be a family of functions pi'mW ^ UAdm and 
w.,w' € W such that w = w', we have 

{[]p,){w) = f]p,iw) ^ Hp^K) = {[]piKw') 

i€l i£l i^I i€l 

by the non-expansiveness of each pi. Well-definedness for the other operations is shown 
analogously. 

We now show that the operations are non-expansive. Again, we consider the case of 
meets only, as the remaining cases are similar. Let {pi)i^i and {qi)i^i be two families of 
non-expansive functions such that pi = qi holds for all i ^ I. To see that Hi Pi = Hi Qi 
holds, by definition of the sup-metric it suffices to prove {\~\iPi){w) = {\~\iqi){w) for all 
w G W. This follows from the pointwise definition since Pi{w) = qi{w) holds for every z € / 
by assumption. □ 



B.2. Interpretation of assertions. 

Lemma B.3 (Non-expansiveness of fix, [6J). Let {X,d) be an object in CBUlt, and let 
f,g:X^Xhe contractive functions on X. Then d{fix f , fix g) < sup^.^^ d{f{x),g{x)). 

Lemma B.4 (Well-definedness). The interpretation in Fig. [8] is well-defined. More pre- 
cisely, let P be an assertion with free relation variables in H = Xi , . . . , Xk , where the arity 
of Xi is rij. Then: 

(1) for every r] G Val^"'' and p G Plx^eH Pred^^'^'"'), [PL 

is an element of Pred, i.e., a 

non-expansive function W UAdm; 
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(2) [-P]]^ denotes a non-expansive function from IlxjeH P^^*^^^"' ^'^ Pred; 

(3) If P is formally contractive in X then the functional Xq. iPJr/ p[x-=q] ^ contractive 
map from Pred^^'^' •* to Pred, where X is an n-ary relation variable. 

Proof. The claims are proved simultaneously by induction on the structure of P. Note that 
the composition of non-expansive functions is again a non-expansive function, and that the 
composition of a contractive function with a non-expansive function is again a contractive 
function. 

• For the logical connectives, the claims follow from the inductive hypothesis and Lem- 
mas IB. II and IB.2I respectively. 

• The case of invariant extension, P ® R, follows from Lemma 14.41 In particular, q i— )• 
IP -Rjj^ is a contractive function whenever P is formally contractive in X. 

• The case of a relation variable, Xi{e), follows from the assumption that p{Xi) is a non- 
expansive function from VaZ"* to Pred. 

• In the case of recursive assertions, {fj,X(x).P){e), the well-formedness requirement that 
P be formally contractive in X means that Xq. [-PJ^ p[x-=q] contractive, by part (3) of 

the induction hypothesis. Hence, Xq,d. iPj^^g.^^ pix-=q] ^ contractive endofunction on 

Pred^"' . In particular, the fixed point in the definition of l{fiX{x).P){e)} is well-defined, 
and by Lemma lB.3l 

[(MX(f).P)(ell^ = A/,.(MAg,t^:M,[,.=,],,[^^=,]))(Ie1^) 

is a non-expansive function. 

Similarly, if P is formally contractive in y 7^ X, then Xq. l{fiX{x).P){e)}^ p[Y-=q] 
tractive by Lemma fB. 3 1 and the inductive hypothesis that q [PJ^ ^/[y.^^] is contractive 
for any p' . 

• It remains to consider the case of (nested) triples. Note that the interpretation of triples 
is defined in terms of the admissible downward closure, so it is clear that 1{P} e {Q}]]^ p w 
is uniform and admissible. We first prove claim (1), i.e., the non-expansiveness of 
l{Pi}e{Qi}j^p. To this end, assume that w = w' , and let h G 1{P} e {Q}j^pW. We 
must show that 7r„(/i) G [{P} e {Q}!,, By the downward closure, we also know 

def k 

that T^n{h) € [{P} e {Q}]]^ ^ tf. Since k = rnk{'Kn{h)) < n, we also have w = w' . 
Without loss of generality we can assume that A; > 0, and thus must have w \=k-i 
{lP\p} Mr, {\Q\p}- By Lemma Sethis implies w' H-i {\P\p} le], m\J, and 
thus also 7r„(/i) e l{P}e{Q}\p. 

We now prove the following claim which implies the non-expansiveness and contrac- 
tiveness properties stated in conditions (2) and (3): 

p = p' ^ 1{P} e [{P} e {Q}1^,^, 

For the proof of this claim, assume p = p' and h G [{P} e {Qllr; p ^ some w. We 

def 

must show that 7r„+i(/i) G Il-P} e {Q}]]^ p/ Let k = rnk{'Kn+i{h)) < n + 1. With- 
out loss of generality we can assume A; > (and hence k — 1 < n), and thus ob- 
tain w {IPI^J lej^ ilQ^J- By induction hypothesis, {Pj^ and IQj 

k—l 

expansive, and thus [Pj^p = [Pl^ p/ and [Ql^ ^ = [Ql^p/- By Lemma |4^ we obtain 
w H-i {iP^p'} {IQKp'}- This yields 7r„+'i(/i) G 1{P} e{Q}j^^p, w. 
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B.3. Soundness of standard rules from separation logic. The following lemmas show 
that the usual rules of separation logic, expressed using triples containing quoted commands 
as shown in Figure [3l are sound. 

Lemma B.5 (Skip). The axiom {P}'skip'{P} is valid. 

Proof. This follows from the fact that [[skipj,^ h = h for all h G Heap, and that Ad(-) is a 
closure operation. □ 

Lemma B.6 (Conditional). If {P A eo=ei} 'C {Q} and {P A eo/ei} 'L>' {Q} are both valid, 
then so is {P} 'if (eo=ei) then C else D' {Q}. 

Proof. Let w G W and r G UAdm and suppose h G [-Pl^pU^ * i~^{w){emp) * r. From the 
semantics of the conditional, we can assume without loss of generality that [eol^ and [eij^ 
are not both in Com±. We must show that 

c{h) G Ad{lQj^^pW * L~^{w){emp) * r), 

where c{h) = if ([[eol^ = [eij^) then [CJ^/i else [[-Dj^/i. Depending on whether the state- 
ment [eol^ = leiJrj hold, we have [[eo=ei]]^ if = Heap or [eo/ei]]^ = Heap. Therefore, the 
claim follows from either the first or the second assumed triple. □ 

Lemma B.7 (Update). The axiom {e i-)- _* P} '[e] : = cq' {e i-^ eo * P} is valid. 

Proof. By Lemma 14.151 it suffices to prove the validity of 

{eh^_}'[e]:=eo'{eh^eo} . 

Let T] G Env, p G Pred"^, p = [[eH>_]]^^^, q = le^eoj^^^ and c = [[e] : = eol^. We wih show 
that w \= {p} c {q} holds for all w G W. 

Let w ^ W and r G UAdm, and suppose h G p{w) * L^^{w){emp) * r. We may assume 
that /i 7^ _L, for otherwise c(/i) = ± G q{w) * i^^ {w){emp) *r is immediate. Thus, h = h' ■ h" 
such that h' G p{w) and /i" G L^^{w){emp) *r. In particular, since h' G p(i(;) = [e -J^ p 
we obtain that \e\^ G dom(/i') C dom(/i). Therefore, from the semantics of the assignment 
command, c{h) = /i[[[e]]^ i-)- [eoll^]. But this heap is the same as {|[[e]]^ = [eij^l} • h" , and 
therefore c(/i) G q{w)*L~^{w){emp)*r. The latter set is contained in Ad((7(w)*i^^(ii;)(em]3)* 
r) since Ad(-) is a closure operation. □ 

Lemma B.8 (Updatelnv). The axiom 
UpdateInv 

; rr~ri n ^ — ; ('A pseudo pure) 

H;ri-{eiH- _* (eii-^eo Ac/))} '[e] : = eo {{e^ e^ f\ (p) * {ei^eo A (/>)} 

is valid. 

Proof. Consider r/ G Env, p G Pred", c = [[e] : = eol^, P = 1^ -* ^ii-^eo A (/>|^ ^ and 
q = \[e^ eQ f\ (j)) * (eii— t-cq A 4>)\j^ p. We will show that w \= {p} c {q\ holds for all w G W . 

Let w ^ W and r G UAdm, and suppose /i G p{w) * L~^{w){emp) * r. We may as- 
sume that /i 7^ _L, for otherwise c{h) = _L G q{w) * i~^{w){emp) * r is immediate. Thus, 
h = h' ■ h" such that h' G p{w) and /i" G L~^{w){emp) * r. In particular, since h' G 
p(w) = [[e i-T- _* (eii-7>eo A </>)]]^ ^ tn, we obtain that h' = hi- /12 such that {[ej^} = dom(/ii) C 
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dom(/i') C dom(/i) and {[ei]]^} = dom(/i2) C dom(/i') C dom(/i) and /12 G [[0l,,pii'- There- 
fore, from the semantics of the assignment command, c{h) = h[le}^ i-> [[eoj^]- But this heap 
is the same as (fl[el^ = [eol^|} • leil^ = [eol^|}) • /is- Now the rank of heap {M^ = [eol^|} 
is obviously identical to the rank of {|[[ei]]^ = [eol^l} and thus {[[[e]]^ = [eol^H G M^.p as (p is 
pseudo pure and {|[[ei]]^ = [[eo]]^|} = /12 £ I'^lr/p''^- Therefore c(/i) G q{w) * L~^{w){emp) *r. 
The latter set is contained in Ad{q{w)*i,~^ {w){emp)*r) since Ad(-) is a closure operation. □ 

Lemma B.9 (Free). The axiom {e 1— )• _ * P} 'f ree(e)' {P} is valid. 

Proof. By Lemma 14.151 it suffices to prove the validity of 

{e i-7> _} 'f ree(e)' {emp} . 

Let T] G Env, p G Pred", p = [d-^-J^^, q = lernp}^ ^ and c = [f ree(e)I|^. We will prove 
that w \= {p} c {q} holds for all w G W. 

Let w G W, let r G UAdm and suppose /i G * /,~-'^(u))(emp) * r. Since is 
the unit for * and Ad(-) is a closure operation, we must only show c{h) G L~^{w){emp) * r. 
We may assume that /i ^ _L, for otherwise c{h) = _L G L~^{w){emp) * r is immediate. 
Thus, h = h' ■ h" such that h' G p{w) and h" G i^^{w)(emp) * r. In particular, since 
h' G p{w) = [ei-^-Il^p'w, we obtain that {[ej^} = dom(/i') C dom(/i). Therefore, from the 
semantics of the deallocation command, c{h) = h" . It follows that c{h) G i~'^{w){emp)*r. □ 

Lemma B.IO (Deref). If {P * e 1— >■ x} 'C {Q} is valid and x is not free in e and Q, then 
{3x.P * e x} 'let x=[e] in C" {Q} is also valid. 

Proof. Assume that {P * e i->- x} 'C {Q} is valid, and pick rj G Env and /o G Pred". Let 
c = [[letx=[e] inCJ^. We wih show that w \= {p2;.P * e H- x]]^^^} c {[[Ql^^p} for ah w ^W. 

Let w G VF, r G UAdm and /i G px.P * e 1-^ xj^ ^ {w) * i~^{w){emp) * r. We must show 
that c(/i) G AddQJ^ ^ (w) * L~^{'w){emp) * r). By definition there are heaps h', h" such that 
h = h' ■ h" and h' G px.P * e 1— )• x]],^ ^ (if) and /i" G i~^{w){emp) * r. By definition this 
means that 

Vn. 3dn G FaZ. 7r„(/i') G [P * e ^ xj^j^^^^^j^^ (w;). 

Let us write r/„ for r][x := In the remainder of the proof, we will prove that 

Vn. c(^„(/i)) G Ad([Ql^^^ * L-^{w){emp) * r), 

because then, by admissibility and the continuity of c, we obtain the required c{h) G 
Ad{lQj^^p*L-\w){emp)*r). 

Without loss of generality we can assume that '/r„(/i) / ±, so that '/r„(/i') 7^ ± as 
well. Then, since x ^ fv{e), we have in particular [ej^ G dom(7r„(/i')) C dom(/i) and 
7r„(/i')([[e]]^) C Using the monotonicity of commands with respect to the environment, 
this gives 

By uniformity of L~^{w){emp) * r, we have 7r„(/i) G [[P * e xj^^ ^ * L~^{w){emp) * r, so 
that the assumption gives us 

c(vr„(/i)) □ [Cl^,^ (vr„(/i)) G Ad([Ql^,^^^ * .-^^(emf,) * r). 

Since Ad(p') is a downward-closed set for every predicate p', the above formula implies 
that c{-Kn{h)) belongs to the set on the right hand side. Furthermore, since x ^ fv{Q), 
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we have [Ql^^ = [[<31^- The combination of these two facts gives the desired c{Trn{h)) G 

Lemma B.ll (New). If {P * a; i-> e} 'C {Q} is valid and x is not free in P, Q and e, then 
{P} 'let a;=new e in C" {Q} is valid. 

Proof. Let u; G W, rj G -Env, p G Pred" and r G UAdm. Suppose h G [-Pl^p(i(^) * 
i~^{w){em,p) * r. Wc must show that c(h) G Ad([(5]^ ^ (lu) * i.~''-(i(;)(emp) * r). Consider the 
following environment rj' and heap /i': 

where £ is the least natural number not contained in 6om{h). Since x is not free in e and 
P, we have [ej^^ = [e]^, and \P\^ = \P\^t- Thus by the assumption on h we obtain: 

h! <^\P * x^ e\^i pW * L~^{w){emp) * r. 

Then the assumption that {P * xi-^ e} 'C {Q} is valid implies: 

iCj^, h' G Ad([Ql^,^^ M * r\w)iemp) * r). 

Using the fact that [let x=newe inC]^ (h) = [C]^, h' and since [Ql^/ = [Ql^, this proves 
the statement. □ 

Lemma B.12 (Auxiliary variable). Assume that x is not free in e. Then the axiom 

ExistAux 



r h (ix.{P}e{Q})^{3x.P}e{3x.Q} 

is valid. 

Proof. Let rj G Pnu, p G Pred", and fix w G W. For each d G Val, let 77^ = r7[x:=d], 
Pd = lP}r]a,p ^ I^]l»7d,p' Since x is not free in e, we have {ej^^ = [e]^. Thus, a similar 

reasoning with rank as that in the proof of Consequence implies that it is sufficient to prove 
the following claim: 

for all c,iiw\= {pa} c {qa} for every d, then w \= {UdPd} c {Ud ^d}- 

Assume w \= {pd} c{qd}, let r G UAdm and h G {\_\^pd){w)*L~^{'w){em,p)*r. We must show 
that c(/i) G Ad{{\_\^qd){w)*i~^{w){emp)*r). By definition, h = h' -h" where h' G {\_\d'id){w) 
and h" G i^^{w){emp) * r. Thus, for each n there exists d G Va/ such that 7r„(/i') G Pd{w), 
and therefore 7Tn{h) G Pd{w) * i^^{w){emp) * r by the uniformity of t~-'-(i(;)(emp) * r. From 
the assumption w \= {pd} c{qd} we then obtain that for each n, 

c{TTn{h)) G Ad(g(i(u;) * /,^"'^(i(;)(emp) * r) C Ad(((J^ (7d)(it;) * i^"^(?j')(eTOp) * r). 

Using the admissibility of Ad((|J^ qd){w)*i''^{w){emp)*r) and the continuity of c, it follows 
that c{h) G Ad{(\_\a qd){w) * l-\w){ emp) * r). □ 
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Lemma B.13 (Invariance). Then the axiom 
Invariance 

S;r h {P}e{Q}^{P Ai/;}e{Q Ajp} is pure) 

is vahd. 

Proof. Let ry G Env, p G Pred^, and fix u; G W. For each d G Va/,let p = IP}^ p and 
q = IQJ^i p and / = [[■(/;]] ^ ^. A similar reasoning with rank as that in the proof of (Conseq) 
implies that it is sufficient to prove the following claim: 

for all c, if tt; ^ {p} c {q} then w \= {p^ f} c{qr\ /}. 

But since V is pure, either fw = Heap for all w G or / w = for all u) G VF. In 
the former case, the above implication reduces to the identity axiom, in the latter case 
w 1= {p n /} c {q' n /} always holds. □ 

Lemma B.14 (Disjunction). For all P,P',Q,Q' and e, the axiom 

Disj 

{P} e {Q} A {P'} e {Q'} ^ {P V P'} e {Q V Q'} 

is valid. 

Proof Let rj G Env, p G Pred^, and ^xweW. Let p = {Pj^^p, p' = [P%_^, q = (Qj^^p 
and IQ'ljj p- As in the preceding proofs, it suffices to show that 

for all c, if w \= {p} c {q} and w \= {p'} c {q'}, then w \= {pLi p'} c{qU q'}. 

For this, suppose that r G UAdm and let h G {pU p'){w) * i~^{w){emp) * r. Wc must show 
that c(/i) G {qyjq'){w)* i^^{w){emp)*r. Note that h G {p \J p' ) {w) * {w) {emp) * r eniaMs 
that h G p{w)*i^ '^{w){emp)*r or /i G p'{w)*L^^ {w){emp) *r. Therefore, by the assumption 
we know that c{h) G Ad(g(w) * i~^{w){emp) * r) or c{h) G Kd{q'{w) * i~^{w){emp) * r), 
from which it follows that c{h) G Ad((q' U q'){w) * L~^{w){emp) * r) by the monotonicity of 
* and of the closure operation. □ 
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